NTP
Command to scan device to view NTP connection responeses.
ntpdc -c monlist <IP address>
Example of command and output
Command:
ntpdc -c monlist 146.6.177.21
Ouput:
remote address port local address count m ver rstr avgint lstint
===============================================================================
ns1.utexas.edu 123 146.6.177.21 43244 4 4 0 1065 6
ns2.utexas.edu 123 146.6.177.21 43230 4 4 0 1065 62
security-scanner05.inf 61021 146.6.177.21 1 3 4 0 107 107
58.215.177.51 40205 146.6.177.21 1 3 4 0 1855107 1855107
matlock.infosec.utexas 57096 146.6.177.21 4 3 3 0 921718 1912102
cpe-173-174-33-58.aust 34854 146.6.177.21 4 3 4 0 481147 1924159
security-scanner142.in 43852 146.6.177.21 1 3 4 0 2212475 2212475
security-scanner113.in 56052 146.6.177.21 2 3 4 0 1444282 2887937
feederfish.infosec.ute 51834 146.6.177.21 7 3 4 0 696372 3045750
Note: According to the ISO, the only remote addresses that connect to a device should be ns1.utexas.edu and ns2.utexas.edu
For "standard" Linux distributions, devices should be configured as such below to restrict remote NTP address connections
edit /etc/inet/ntp.client -> ntp.conf
Added:
#added for DDoS prevention - don't allow any machine, except those w/o flags
restrict default notrust nomodify noquery
restrict 127.0.0.1
restrict 146.6.177.21
restrict 128.83.185.40
restrict 128.83.185.41
restrict 146.6.177.23
restrict 146.6.177.22
restrict 146.6.177.15
restrict 146.6.177.16
restrict 172.16.54.150
restrict 128.83.59.200
Note: The IP addresses listed in the configuration file are