[Pool] [D]DoS attack characteristics and mitigation
brak at constant.com
Mon Feb 10 15:06:22 UTC 2014
On 2/10/2014 9:29 AM, Jim Reid wrote:
> On 10 Feb 2014, at 14:13, Miroslav Lichvar <mlichvar at redhat.com> wrote:
>>>> Were the servers configured with restrict noquery?
>>> Yes. They've configured that way for years:
>>> % grep noquery /etc/ntp.conf
>>> restrict default kod nomodify notrap nopeer noquery limited
>>> restrict -6 default kod nomodify notrap nopeer noquery limited
>> That's odd. With noquery the server should respond only to normal
>> client requests and with limited+kod the outgoing packet rate should
>> be much smaller and not useful for an amplification/reflection attack.
> Indeed. However my servers were (D)DoS'ed, probably in reflection attacks.
If you were the target of the DDOS, and not an amplification vector, no
amount of ntpd changes will help. I'm unclear of which you were.
> The point I was making was the above config file options didn't really help against those attacks on my NTP servers. So presumably if a bad guy's got a big enough botnet or using millions of fake source addresses ntpd's rate-limiting isn't up to the job => applying defensive measures in the upstream routers.
Was this machine hosting other services? I find it odd someone would
choose to DDOS your NTP server. I suspect that another service on the
machine as a target, and the fact that it used port 123 was just because
it was using other hosts as reflectors.
> Perhaps it's time to think about switching public NTP servers to TCP transport and only use UDP on the LAN?
That's unlikely to be of any help in the near future. A lot of these
exploited servers are embedded devices (IPMI controllers, routers,
etc). Many of the ones that I've seen are still running 4.2.4 or below,
so no amount of changing the protocol now is going to help.
I have had good luck with sending out abuse complaints to the attacking
IPs. Most people are willing to help fix their server's configurations.
More information about the pool