[Pool] flood from 75.76.155.206

ntppool at arpage.org ntppool at arpage.org
Thu May 9 14:33:09 UTC 2013


Reflective multiplication attacks are the current vogue.  Send a small 
DNS query with a forged return address to a authoritative server and get 
a much larger reply in turn.

NTP wouldn't be a good target for such an attack because the response is 
the same size as the query.  Could still be used in a reflective attack 
but it wouldn't have the multiplication effect of a reflective DNS attack.

I put a rate limit on my DNS server to keep it from being used for this 
sort of attack.  Also have a rate limit on NTPD.  In the long run the 
only solution to this problem is for ISPs to stop forged packets as 
their network edge.  There's no reason they should be dumping packets 
with return addresses outside their network onto the internet.

Tim

On 5/9/2013 10:05 AM, AlbyVA wrote:
>
>
>
>    Given this new age of Botnet Armies DDoSing servers for a variety of
> reasons, this is something
> to keep an eye on. Config Fat fingers can be fixed once word gets back
> to the source. But deliberate
> attacks may become more of a pain in the rear.
>
>    I now wonder about the implications if a DDoS attack is directed at
> pool.ntp.org <http://pool.ntp.org> or the XX.ntpns.org
> <http://XX.ntpns.org>
> DNS servers. That might not be cool.
>
> -Alby
>
>
>
>
> On Thu, May 9, 2013 at 8:55 AM, <ntppool at arpage.org
> <mailto:ntppool at arpage.org>> wrote:
>
>     Flood stopped around 22:50 EDT
>
>     Tim
>
>     On 5/8/2013 6:49 PM, ntppool at arpage.org <mailto:ntppool at arpage.org>
>     wrote:
>
>         I just fired off an e-mail to their abuse department.  If you do the
>         same perhaps they'll take it seriously enough to investigate.
>           Might be
>         a reflective attack that they can't do anything about, but if
>         it's just
>         a customer with a badly configured NTP client they ought to be
>         able to
>         resolve the issue for us.
>
>         Tim
>
>         On 05/08/2013 10:58 AM, Stuart Berry wrote:
>
>             I have just checked my logs and I'm getting between 300 - 1500
>             requests a second from this IP. Looks like its been
>             happening for
>             roughly the last 72 hours.
>
>             I've just blocked it at my edge, not sure if its worth
>             worrying about
>             any further. I'll monitor it for the next few days and if it
>             doesn't
>             subside I'll contact the abuse for that block.
>
>             Stuart.
>
>             AlbyVA <albyva at empire.org <mailto:albyva at empire.org>> wrote:
>
>
>                I would contact your provider's abuse/security group
>             about a possible
>             DDoS attack from this address.
>             They should be able to filter the traffic before it eats up your
>             bandwidth.
>
>             AS      | IP               | AS Name
>             12083   | 75.76.155.206    | WOW-INTERNET - WideOpenWest
>             Finance LLC
>
>
>             -Alby
>
>
>
>
>             On Wed, May 8, 2013 at 10:03 AM, <ntppool at arpage.org
>             <mailto:ntppool at arpage.org>
>             <mailto:ntppool at arpage.org <mailto:ntppool at arpage.org>>> wrote:
>
>                  For the last six hours or so I have seen an obnoxious
>             rate of
>                  requests (ranging from 60 to 300 per second) from the
>             aforementioned
>                  IP.  Not sure if it's a badly implemented client or
>             someone trying
>                  to use my server for some sort of reflective attack.
>               It has long
>                  since been blocked by my firewall but I've been running
>             servers in
>                  the pool for a few years now and never had to deal with
>             this before.
>
>                  Curious if anybody else has seen this?  Any suggestions
>             for what to
>                  do about it other than block the traffic at my edge and
>             wait for it
>                  to die down?
>                  ___________________________________________________
>                  pool mailing list
>             pool at lists.ntp.org <mailto:pool at lists.ntp.org>
>             <mailto:pool at lists.ntp.org <mailto:pool at lists.ntp.org>>
>             http://lists.ntp.org/listinfo/____pool
>             <http://lists.ntp.org/listinfo/__pool>
>                  <http://lists.ntp.org/__listinfo/pool
>             <http://lists.ntp.org/listinfo/pool>>
>
>
>
>         _________________________________________________
>         pool mailing list
>         pool at lists.ntp.org <mailto:pool at lists.ntp.org>
>         http://lists.ntp.org/listinfo/__pool
>         <http://lists.ntp.org/listinfo/pool>
>
>
>     _________________________________________________
>     pool mailing list
>     pool at lists.ntp.org <mailto:pool at lists.ntp.org>
>     http://lists.ntp.org/listinfo/__pool
>     <http://lists.ntp.org/listinfo/pool>
>
>



More information about the pool mailing list