[Pool] DDoS Type Attack
nyamul at gmail.com
Thu Feb 13 23:41:09 UTC 2014
Thank you for the quick response!
We are currently using these base rules:
restrict default limited kod notrap nopeer
disable monitor ### This was added recently
We'll add the "noquery" as you suggested to the top line. Would you have
any other suggestions for us?
On Fri, Feb 14, 2014 at 5:29 AM, Anssi Johansson <timekeeper at miuku.net>wrote:
> Nyamul Hassan kirjoitti:
> From the documentation, and all literature that I can find on the
>> it seems any remote client who needs to talk to our NTP servers on UDP
>> must also originate the request from UDP 123. Considering this, we have
>> firewalled any traffic for/from UDP 123 on our servers that does not
>> start/end in UDP 123 on the remote machines.
>> Could someone confirm if this is correct? Or are we blocking legitimate
>> reqeusts as well?
> You are blocking legitimate requests as well. One example: traffic coming
> from behind NAT firewalls. NAT changes the source port to some other port.
> Adding "limited kod" to your "restrict default" line in ntp.conf is
> usually a rather good countermeasure. I would also suggest adding "noquery"
> to that line to prevent the recent NTP amplification attacks.
> See http://support.ntp.org/bin/view/Support/AccessRestrictions and
> pool mailing list
> pool at lists.ntp.org
More information about the pool