[Pool] DDoS Type Attack
fabian at wenks.ch
Sun Feb 16 15:54:17 UTC 2014
On 16.02.14 04:33, Nyamul Hassan wrote:
> After enabling each of them, we tried "disabling" the rule we enforced
> earlier (the one blocking remote clients which did not have a source port
> of 123) for one of our "high target" servers. As soon as we lifted that
> rule, that server spiked outbound UDP traffic around 8-12 Mbps level
> throughout the 1-2 hours we kept the test running.
I do not know what bandwidth you have set for the Pool and in
which zone this server is. This would be helpful to know, as this
does have quite an impact on how many requests the server is
getting. E.g. if you have set it to 1 Gbit/s and are in a zone
and region with just a few server, you could get much more
traffic, then with a lower bandwidth in a zone / region with a
lot of servers. Depending on this 2 parameters, eventually the
8-12 Mbits/s are just normal legit ntp requests.
I do have some other questions.
Are you seeing the same amount of requests or packets in inbound
What are your settings for the 'restrict default' line in
ntp.conf, are you using the options below?
restrict default limited kod notrap nomodify nopeer noquery
As suggested from Rob Janssen, you may leave out the 'kod' option.
> Can someone suggest where the rules are failing to stop outbound traffic
> over extended periods?
If this are legit requests, then you should not block outbound
traffic to them, you should serve them with time.
My recommendation is to let ntpd do the rate limiting and not
blocking / limiting traffic with iptables or such.
More information about the pool