Categories
Admin ntp Security

Correct way to run an ntp server

Intro
Concerns about DOS and DDOS have been heightened recently, for instance http://securityaffairs.co/wordpress/20934/cyber-crime/symantec-network-time-protocol-ntp-reflection-ddos-attacks.html. A more bare-bones, antiseptic description is here in CVE-2013-5211. Unfortunately those inventive hackers have found new ways to create headaches for us good guys. Last month saw an increase in DDOS attacks using poorly configured public ntp servers to create packet amplification. I’ve looked into it and determined how to run an ntp server without exposing your server to being an unwitting source of this type of traffic.

The details
This mostly applies to SUSE Linux (SLES), but I don’t think the other Linux distros would be all that different. In SLES you have the NTP configuration in /etc/ntp.conf. You have of course the regular lines, plus the server lines, which may look something like this:

...
server otc1.psu.edu prefer
server ntp2.usno.navy.mil
server tock.usno.navy.mil prefer
server navobs1.wustl.edu
...

You may not be able to use these exact same servers – sometimes you need to ask permission first.

Now if that’s all you had, plus the driftfile and the other blah, blah, you’re probably in trouble. Test this from another Linux server beforehand. Something like:

> ntpdc -c monlist

If you start seeing lines like the following you’re in trouble:

remote address          port local address      count m ver code avgint  lstint
===============================================================================
ldrj1200.drjon.drjo.ne 58372 10.192.186.15          2 7 2      0     30       0
ns.drjohnstec.com      48944 10.192.186.15          1 7 2    5d0      0      11
neus.drj.drjohnstechta   123 10.192.186.15          8 3 2    5d0      2      13
...

That’s no good because with one udp packet a whole lot of packets can be returned, or worse, sent to a different target since in general the source IP address of the UDP query packet could be spoofed.

The solution
Of course what I’m writing here is not news. It’s just somewhat hard to understand the ntp documentation on this topic on the ntp.org web site.

In my experimentation I’ve found you should add into the ntp.conf file these lines:

restrict default kod nomodify notrap nopeer noquery
# but allow some hosts access
restrict 127.0.0.1
# our monitoring server
restrict 10.192.186.89

Then, a

> sudo service ntp restart

and your remote listing should produce something like this:

> ntpdc -c monlist ntp1.johnstechtalk.com

ntp1.johnstechtalk.com: timed out, nothing received
***Request timed out

and equally important, you can still locally query your ntp server to see that it is still syncing time:

> ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 l    5   64  377    0.000    0.000   0.001
*gps1.tns.its.ps .GPS.            1 u  886 1024  377   28.554    3.396   6.836
+ntp2.usno.navy. .PTP.            1 u  154 1024  377   13.124   -1.422   4.658
+tock.usno.navy. .PTP.            1 u  965 1024  377   13.906   -0.058   0.910
+navobs1.wustl.e .GPS.            1 u  194 1024  377   30.817    0.274   1.927

And, equally important, your local servers using your ntp server should also continue to be able to sync time against the ntp server you have set up.

Conclusion
We have shown how to prevent your ntp server from being using in a DDOS attack. Most ntp servers are probably protected by a firewall of some sort, but it still might be a good idea to lock it down in this way as a best security practice.

The official advice talks about upgrading to ntp version 4.7, but I find this impractical for a couple reasons. It is not generally available from the distro package vendors, and it is considered a development release. Hence the effort to massage the configuration of an older NTP server as I’ve documented here to make it invulnerable to this problem.

References
The IT Detective Agency: ntp server shows the wrong time after patching

One reply on “Correct way to run an ntp server”

Dr. John –
Your absolutely lucid on point treatment of this issue was a tremendous help. It solved an issue that I have been battling for days on a SuSE SLES 11 SP1 server for a client.
The one twist we discovered was that it did not clear all the spoofing traffic, just the vast majority. In the end we added
disable monitor
to the ntp.conf file until we have time to revisit the issue.
Thanks again for your good work!
– Gary

Leave a Reply

Your email address will not be published. Required fields are marked *