[Pool] DDoS Type Attack
fabian at wenks.ch
Sun Feb 16 22:15:40 UTC 2014
On 16.02.14 19:56, Nyamul Hassan wrote:
> Thank you Fabian Wenk for your response. All these 8-12 Mbps is against
> 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps
> We also noted that, almost invariably, the remote ports are not 123.
As I have seen in the discussion in this thread already, this
could also be legit traffic, so do not use this to block.
> Our ntp.conf settings are as follows:
> restrict default limited kod notrap nopeer
You also need to add 'nopeer noquery' to the above line, else
your server will be abused with the amplification attack. This is
probably happening, as you see that high amount of outbound
traffic (but probably not inbound).
PS: No need to use "reply all", reply only to the list is
perfect, as I do filter e-mails based on the "List-Id" header line.
More information about the pool