Recently, more and more often solves problems with attacks by ntpd, mostly with FreeBSD operating systems. Problem here lies in the fact, that the service is operated, at the default settings. In default settings is server unsecured/unconfigured against all recommendations.
Typical report:
Day Tue Dec 31. 2013 10:14:16, ddos-response@nfoservers.com wrote:
A public NTP server on your network participated in a very large-scale
attack against a customer of ours today, generating UDP responses
to spoofed requests with bogus timestamps that claimed to be from
the attack target.
[…]
If you have the ability to look at historical traffic data and
determine the true source of the spoofed traffic, please also do
this — we’d love for this attacker himself to be shut down and for
his ISP to fix its network configuration in order to stop others
from spoofing. With the 10x amplification factor of NTP DRDoS
attacks, it only takes one machine on an unfiltered 1 Gbps link to
generate 10 Gbps of nearly untraceable attack traffic.
Problem description from FreeBSD conference:
Ntps in FreeBSD have in default state commented “restrict default ignore”, so is possible under this type of attack to exploit it (in default state without configured firewall). https://svnweb.freebsd.org/base/release/9.2.0/etc/ntp.conf?view=markup
Solution is uncommenting and configuration – restrict default ignore, more in documentation:
https://support.ntp.org/Support/AccessRestrictions#Section_6.5.1.2.1.
Author: Jirka Dvořák
