NTP Configuration After The NTP DDoS

As you may be aware, the University has been subjected to an NTP DDoS attack which caused multiple short intervals when the Internet was unavailable. Given the intensity of the attack, JANET (our “ISP”) have implemented a firewall rule that only permits NTP access from their servers.

In addition, we have ourselves implemented a firewall rule that only allows NTP access to our official NTP servers. This has implications to anyone who has done their own thing in the past – not that there was anything wrong with that, but in the light of the DDoS attack it has been necessary to tighten things up.

If you do run your own NTP server – which you will know because you will have configured it in the past – then you should reconfigure the server with the details below :-

tinker panic 0
# Added according to Vmware recommendation
server ntp0.port.ac.uk
server ntp1.port.ac.uk
server ntp2.port.ac.uk
# Three servers to use (currently)
driftfile /var/lib/ntp/drift/ntp.drift 
# Keep track of how useful the local clock is
logfile   /var/log/ntp
# A log file. Do we need this?
keys /etc/ntp.keys
trustedkey 1
requestkey 1
# Details of security keys - which we don’t use
disable monitor
# Disable the dangerous stuff

The key elements to this configuration are :-

  1. The server list of ntp0.port.ac.uk, ntp1.port.ac.uk, and ntp2.port.ac.uk.
  2. The “disable monitor” which prevents the NTP server from taking part in a denial of service attack.

In addition, it is highly desirable to restart the NTP service once a day – /etc/init.d/ntp restart – which can be set up as a cronjob. This has practically no effect on the availability of the NTP service (it happens very quickly) and means that changes to the list of NTP servers take effect quickly.

And we’re planning on changing one of the NTP servers imminently.

This entry was posted in Uncategorized. Bookmark the permalink.