[Pool] DDoS Type Attack

Nyamul Hassan nyamul at gmail.com
Sun Feb 16 22:56:32 UTC 2014


>
> > restrict default limited kod notrap nopeer
>
> Add noquery to the above list or your machines will allow DDoSing other
> folks.
>
>
Yes, we could.  But, some people on this list believe that "noquery" also
restricts certain use cases, which as "Pool Servers" we should be able to
accommodate.  What do you think?

Regards
HASSAN


> H
> --
> > restrict 127.0.0.1
> > restrict ::
> > driftfile /var/lib/ntp/drift
> > keys /etc/ntp/keys
> > logconfig=all
> > logfile /var/log/ntp.log
> >
> > Thank you once again for your help!
> >
> > Regards
> > HASSAN
> >
> >
> >
> >
> > On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <fabian at wenks.ch> wrote:
> >
> > > Hello Nyamul
> > >
> > >
> > > On 16.02.14 04:33, Nyamul Hassan wrote:
> > >
> > >> After enabling each of them, we tried "disabling" the rule we enforced
> > >> earlier (the one blocking remote clients which did not have a source
> port
> > >> of 123) for one of our "high target" servers.  As soon as we lifted
> that
> > >> rule, that server spiked outbound UDP traffic around 8-12 Mbps level
> > >> throughout the 1-2 hours we kept the test running.
> > >>
> > >
> > > I do not know what bandwidth you have set for the Pool and in which
> zone
> > > this server is. This would be helpful to know, as this does have quite
> an
> > > impact on how many requests the server is getting. E.g. if you have
> set it
> > > to 1 Gbit/s and are in a zone and region with just a few server, you
> could
> > > get much more traffic, then with a lower bandwidth in a zone / region
> with
> > > a lot of servers. Depending on this 2 parameters, eventually the 8-12
> > > Mbits/s are just normal legit ntp requests.
> > >
> > > I do have some other questions.
> > >
> > > Are you seeing the same amount of requests or packets in inbound and
> > > outbound?
> > >
> > > What are your settings for the 'restrict default' line in ntp.conf, are
> > > you using the options below?
> > >
> > > restrict default limited kod notrap nomodify nopeer noquery
> > >
> > > As suggested from Rob Janssen, you may leave out the 'kod' option.
> > >
> > >
> > >  Can someone suggest where the rules are failing to stop outbound
> traffic
> > >> over extended periods?
> > >>
> > >
> > > If this are legit requests, then you should not block outbound traffic
> to
> > > them, you should serve them with time.
> > >
> > > My recommendation is to let ntpd do the rate limiting and not blocking
> /
> > > limiting traffic with iptables or such.
> > >
> > >
> > > bye
> > > Fabian
> > >
> > > _______________________________________________
> > > pool mailing list
> > > pool at lists.ntp.org
> > > http://lists.ntp.org/listinfo/pool
> > >
> > _______________________________________________
> > pool mailing list
> > pool at lists.ntp.org
> > http://lists.ntp.org/listinfo/pool
> >
>


More information about the pool mailing list