What's going on with NTP?
I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help. The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.) Is this just my special Christmas present, or are there screwed up NTP servers? Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
On Dec 25, 2013, at 11:35 AM, John Levine <johnl@iecc.com> wrote:
I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help.
The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.)
Is this just my special Christmas present, or are there screwed up NTP servers?
I suspect your servers are being attacked. Are you seeing a lot of in/out NTP traffic on those FreeBSD servers? -jav
There have been a lot of NTP reflection attacks recently. Think the same as dns amplification. Make sure you restrict access and know how to look at the client list. Jared Mauch
On Dec 25, 2013, at 10:42 AM, Javier Henderson <javier@kjsl.org> wrote:
On Dec 25, 2013, at 11:35 AM, John Levine <johnl@iecc.com> wrote:
I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help.
The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.)
Is this just my special Christmas present, or are there screwed up NTP servers?
I suspect your servers are being attacked. Are you seeing a lot of in/out NTP traffic on those FreeBSD servers?
-jav
On 12/25/2013 11:35 AM, John Levine wrote:
I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help.
The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.)
Is this just my special Christmas present, or are there screwed up NTP servers?
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
you probably need to configure them correctly with: restrict default ignore and add additional restrict lines if you have need for other legitimate servers to make contact with them. i suspect right now you're providing an ntp amplification attack to the spoofed source address. -david
On Wed, Dec 25, 2013 at 5:35 PM, John Levine <johnl@iecc.com> wrote:
I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help.
The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.)
Is this just my special Christmas present, or are there screwed up NTP servers?
The old NTP server in FreeBSD have a bug that allow to use it for reflexion DOS attacks: http://lists.freebsd.org/pipermail/freebsd-current/2013-November/046822.html Regards, Olivier
participants (6)
-
David Ford -
Jared Mauch -
Javier Henderson -
John Levine -
Olivier Cochard-Labbé -
Randy Bush