[Discuss] NTP Gone Crazy?
Chuck Anderson
cra at WPI.EDU
Sat Jan 11 21:15:37 EST 2014
Probably you were used in an NTP reflection DDoS attack.
The problem is the "monlist" command that ntpd provides. Upgrade to
ntp-4.2.7 which removes that command, and/or add "noquery" to your
default restrict config.
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
On Sat, Jan 11, 2014 at 09:09:13PM -0500, Kent Borg wrote:
> I remember a story from the early days of the internet (maybe
> ARPANET at that point) when there was a bug in NTP and, for a time,
> it was most of the traffic on the internet...
>
> Anyway, last night my internets at home were working normally, but
> this morning they were crappy. I went out and when I got home they
> were still crappy. I assumed it was Verizon's fault, what with
> their unmaintained copper wires...but that wasn't it Verizon this
> time.
>
> My NTP daemon went crazy.
>
> I have an ancient (Ubuntu 7.04) basement server that does very basic
> things, roughly:
>
> - DHCP server,
> - QEMU host for three little virtual machines, and
> - NTP client/server.
>
> When I called my DSL provider to complain I was told that I was
> pegging my upstream bandwidth. Huh??
>
> After poking around I finally isolated it: NTP. Turn it on and my
> first-hop-ping jumps from a dozen-ish ms to several hundred-ish ms.
> Turn it off and the ping times fall back to dozen-ish ms.
>
> I tried commenting out half my "server" entries in my /etc/ntp.conf
> file: same thing. I tried commenting out all of the "server"
> entries and still the same thing.
>
> Am I just dying of bit rot? Something gone bad in my ntp binary??
>
> Ideas?
>
>
> Thanks,
>
> -kb, the Kent who figures it is a sign from God to build a new
> basement server.
More information about the Discuss
mailing list