[Pool] flood from

AlbyVA albyva at empire.org
Thu May 9 14:58:05 UTC 2013

 I agree, DNS Reflective attacks can do harm, but my remarks were more
along the lines of
servers running Joomla or other web software which gets turned into bots
that start pounding
targets on a specific port(s).

 The financial sector is currently dealing with these types of attacks more
so than being a
victim of reflective attacks. Typically a 1,000 or so websites with code
that can be compromised
will be instructed to start a TCP SYN flood (one of many types of attack
vectors) assault on a
specific DNS name or IP address. So ISP's implementing BCP38 (
or DNS servers reconfiguring as Closed won't do much to save you. Since the
traffic will all be
coming from valid ip addresses.

It's not so much Port 123/UDP on our NTP server side we should worry about,
it's the whole server itself
and the bandwidth of our links. You figure that if (pool.ntp.org) came
under assault it looks like (4) servers
every 3 minutes would get pounded by junk traffic on any port/protocol the
attacker felt like targeting.
Or if they went after the ntpns.org DNS servers, all 3700+ pool servers
would be knocked offline until
something was done or the attack stopped. I doubt the Pool Project is up
for paying a company like
Prolexic to provide DDoS mitigation for the authoritative name servers.

 I suppose for now, we can pray nobody takes aim at our wonderful pool
project. :)


On Thu, May 9, 2013 at 10:33 AM, <ntppool at arpage.org> wrote:

> Reflective multiplication attacks are the current vogue.  Send a small DNS
> query with a forged return address to a authoritative server and get a much
> larger reply in turn.
> NTP wouldn't be a good target for such an attack because the response is
> the same size as the query.  Could still be used in a reflective attack but
> it wouldn't have the multiplication effect of a reflective DNS attack.
> I put a rate limit on my DNS server to keep it from being used for this
> sort of attack.  Also have a rate limit on NTPD.  In the long run the only
> solution to this problem is for ISPs to stop forged packets as their
> network edge.  There's no reason they should be dumping packets with return
> addresses outside their network onto the internet.
> Tim
> On 5/9/2013 10:05 AM, AlbyVA wrote:
>>    Given this new age of Botnet Armies DDoSing servers for a variety of
>> reasons, this is something
>> to keep an eye on. Config Fat fingers can be fixed once word gets back
>> to the source. But deliberate
>> attacks may become more of a pain in the rear.
>>    I now wonder about the implications if a DDoS attack is directed at
>> pool.ntp.org <http://pool.ntp.org> or the XX.ntpns.org
>> <http://XX.ntpns.org>
>> DNS servers. That might not be cool.
>> -Alby
>> On Thu, May 9, 2013 at 8:55 AM, <ntppool at arpage.org
>> <mailto:ntppool at arpage.org>> wrote:
>>     Flood stopped around 22:50 EDT
>>     Tim
>>     On 5/8/2013 6:49 PM, ntppool at arpage.org <mailto:ntppool at arpage.org>
>>     wrote:
>>         I just fired off an e-mail to their abuse department.  If you do
>> the
>>         same perhaps they'll take it seriously enough to investigate.
>>           Might be
>>         a reflective attack that they can't do anything about, but if
>>         it's just
>>         a customer with a badly configured NTP client they ought to be
>>         able to
>>         resolve the issue for us.
>>         Tim
>>         On 05/08/2013 10:58 AM, Stuart Berry wrote:
>>             I have just checked my logs and I'm getting between 300 - 1500
>>             requests a second from this IP. Looks like its been
>>             happening for
>>             roughly the last 72 hours.
>>             I've just blocked it at my edge, not sure if its worth
>>             worrying about
>>             any further. I'll monitor it for the next few days and if it
>>             doesn't
>>             subside I'll contact the abuse for that block.
>>             Stuart.
>>             AlbyVA <albyva at empire.org <mailto:albyva at empire.org>> wrote:
>>                I would contact your provider's abuse/security group
>>             about a possible
>>             DDoS attack from this address.
>>             They should be able to filter the traffic before it eats up
>> your
>>             bandwidth.
>>             AS      | IP               | AS Name
>>             12083   |    | WOW-INTERNET - WideOpenWest
>>             Finance LLC
>>             -Alby
>>             On Wed, May 8, 2013 at 10:03 AM, <ntppool at arpage.org
>>             <mailto:ntppool at arpage.org>
>>             <mailto:ntppool at arpage.org <mailto:ntppool at arpage.org>>>
>> wrote:
>>                  For the last six hours or so I have seen an obnoxious
>>             rate of
>>                  requests (ranging from 60 to 300 per second) from the
>>             aforementioned
>>                  IP.  Not sure if it's a badly implemented client or
>>             someone trying
>>                  to use my server for some sort of reflective attack.
>>               It has long
>>                  since been blocked by my firewall but I've been running
>>             servers in
>>                  the pool for a few years now and never had to deal with
>>             this before.
>>                  Curious if anybody else has seen this?  Any suggestions
>>             for what to
>>                  do about it other than block the traffic at my edge and
>>             wait for it
>>                  to die down?
>>                  ______________________________**_____________________
>>                  pool mailing list
>>             pool at lists.ntp.org <mailto:pool at lists.ntp.org>
>>             <mailto:pool at lists.ntp.org <mailto:pool at lists.ntp.org>>
>>             http://lists.ntp.org/listinfo/**____pool<http://lists.ntp.org/listinfo/____pool>
>>             <http://lists.ntp.org/**listinfo/__pool<http://lists.ntp.org/listinfo/__pool>
>> >
>>                  <http://lists.ntp.org/__**listinfo/pool<http://lists.ntp.org/__listinfo/pool>
>>             <http://lists.ntp.org/**listinfo/pool<http://lists.ntp.org/listinfo/pool>
>> >>
>>         ______________________________**___________________
>>         pool mailing list
>>         pool at lists.ntp.org <mailto:pool at lists.ntp.org>
>>         http://lists.ntp.org/listinfo/**__pool<http://lists.ntp.org/listinfo/__pool>
>>         <http://lists.ntp.org/**listinfo/pool<http://lists.ntp.org/listinfo/pool>
>> >
>>     ______________________________**___________________
>>     pool mailing list
>>     pool at lists.ntp.org <mailto:pool at lists.ntp.org>
>>     http://lists.ntp.org/listinfo/**__pool<http://lists.ntp.org/listinfo/__pool>
>>     <http://lists.ntp.org/**listinfo/pool<http://lists.ntp.org/listinfo/pool>
>> >
> ______________________________**_________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/**pool <http://lists.ntp.org/listinfo/pool>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/pipermail/pool/attachments/20130509/2c0b4a2c/attachment-0001.html>

More information about the pool mailing list