[ntp:questions] better rate limiting against amplification attacks?

Terje Mathisen terje.mathisen at tmsw.no
Thu Jan 9 09:19:26 UTC 2014


A C wrote:
> On 1/8/2014 18:31, William Unruh wrote:
>> But this sounds like it is shooting someone else in the foot. That is
>> more serious. Ie, the default is that you should have to work quite hard
>> to enable the system to run these amplification attacks (I assume that
>> this is using the control system to send control/info packets, rather
>> than ntp time protocol packets)
>
> It is unclear (or, more correctly, not publicly documented yet) whether
> the attack used the monlist function (outlined in a CERT advisory in
> December) or some other method utilizing NTP protocols.  But it was
> enough of an attack to cripple the gaming servers for some time.
>
It is indeed using the 'ntpdc -c monlist' mode 7 packet with a faked 
sender to do these attacks, we've added 'noquery' to our three external 
ipv4 pool servers.

(This is after our CERT guys saw multiple attempts to use those servers 
as part of a DDOS attack.)

My home ipv6 server still allows external users to ask for the monitor 
list, but only via the new 'ntpq -c mrulist' interface which is safe 
against fake sender/redirect attacks.

Terje

-- 
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"



More information about the questions mailing list