[Pool] DDoS Type Attack

Brian Rak brak at constant.com
Fri Feb 14 00:21:51 UTC 2014


disable monitor     ###  This was added recently

The fact that you added this recently means that you've got a ton of 
people trying to abuse your server to conduct DDOS attacks.  I wouldn't 
recommend you do anything further for awhile.  Now that you aren't 
vulnerable, you'll drop off the reflection lists in time.

On 2/13/2014 6:41 PM, Nyamul Hassan wrote:
> Thank you for the quick response!
>
> We are currently using these base rules:
>
> restrict default limited kod notrap nopeer
> restrict 127.0.0.1
> server clock.isc.org
> server bonehed.lcs.mit.edu
> server time.nist.gov
> peer xxx1
> peer xxx2
> peer xxx3
> peer xxx4
> disable monitor     ###  This was added recently
> driftfile /var/lib/ntp/drift
> keys /etc/ntp/keys
> logconfig all
> logfile /var/log/ntp.log
>
>
> We'll add the "noquery" as you suggested to the top line.  Would you have
> any other suggestions for us?
>
> Regards
> HASSAN
>
>
>
> On Fri, Feb 14, 2014 at 5:29 AM, Anssi Johansson <timekeeper at miuku.net>wrote:
>
>> Nyamul Hassan kirjoitti:
>>
>>   From the documentation, and all literature that I can find on the
>>> internet,
>>> it seems any remote client who needs to talk to our NTP servers on UDP
>>> 123,
>>> must also originate the request from UDP 123.  Considering this, we have
>>> firewalled any traffic for/from UDP 123 on our servers that does not
>>> start/end in UDP 123 on the remote machines.
>>>
>>> Could someone confirm if this is correct?  Or are we blocking legitimate
>>> reqeusts as well?
>>>
>> You are blocking legitimate requests as well. One example: traffic coming
>> from behind NAT firewalls. NAT changes the source port to some other port.
>>
>> Adding "limited kod" to your "restrict default" line in ntp.conf is
>> usually a rather good countermeasure. I would also suggest adding "noquery"
>> to that line to prevent the recent NTP amplification attacks.
>>
>> See http://support.ntp.org/bin/view/Support/AccessRestrictions and
>> http://support.ntp.org/bin/view/Main/SecurityNotice#
>> DRDoS_Amplification_Attack_using
>> _______________________________________________
>> pool mailing list
>> pool at lists.ntp.org
>> http://lists.ntp.org/listinfo/pool
>>
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool



More information about the pool mailing list