[Pool] DDoS Type Attack

Fabian Wenk fabian at wenks.ch
Sun Feb 16 22:15:40 UTC 2014


Hello

On 16.02.14 19:56, Nyamul Hassan wrote:
> Thank you Fabian Wenk for your response.  All these 8-12 Mbps is against
> 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps
> each.
>
> We also noted that, almost invariably, the remote ports are not 123.

As I have seen in the discussion in this thread already, this 
could also be legit traffic, so do not use this to block.

> Our ntp.conf settings are as follows:
>
> restrict default limited kod notrap nopeer

You also need to add 'nopeer noquery' to the above line, else 
your server will be abused with the amplification attack. This is 
probably happening, as you see that high amount of outbound 
traffic (but probably not inbound).

PS: No need to use "reply all", reply only to the list is 
perfect, as I do filter e-mails based on the "List-Id" header line.


bye
Fabian


More information about the pool mailing list