[Pool] DDoS Type Attack

Max Grobecker max+ntplist at grobecker.info
Thu Feb 13 23:51:36 UTC 2014


Am 14.02.2014 00:18, schrieb Nyamul Hassan:

> From the documentation, and all literature that I can find on the internet,
> it seems any remote client who needs to talk to our NTP servers on UDP 123,
> must also originate the request from UDP 123.  

That's not correct - the CLIENT may use any local port.
The client MAY use Source-Port 123, but there's no need for that (and,
in fact, behind NAT it's not very handy the other way...).

> Considering this, we have
> firewalled any traffic for/from UDP 123 on our servers that does not
> start/end in UDP 123 on the remote machines.

OK... So how do you get your NTP server synced to other servers?
Their answers will originate from Port 123 ;-)

I think you will block at least 90% legitimate traffic that way.
My solution is to rate-limit the amount of requests per IP by iptables,
so if I get more than 30 Requests per Minute originating from one IP it
won't get any answer for some time.
This way my server can't be used for large reflection attacks against
other servers without disturbing legitimate clients.

Also, you should tell your firewall to discard any filtered packet
insted of rejecting them.
If your host sends an ICMP message "port unreachable" or "protocol not
availiable" or whatsoever you'll send a message. This message is not
very large but can be used in attacks which hammer the target with
loooots of packets.

In January, there were some iptables examples on this list, maybe you
find something suitable for your needs :-)

Greetings from Wuppertal, Germany

More information about the pool mailing list