[Pool] DDoS Type Attack

Matt Wagner mwaggy at gmail.com
Mon Feb 17 00:08:54 UTC 2014

On Sun, Feb 16, 2014 at 1:56 PM, Nyamul Hassan <nyamul at gmail.com> wrote:

> Thank you Fabian Wenk for your response.  All these 8-12 Mbps is against
> 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps
> each.
> We also noted that, almost invariably, the remote ports are not 123.
> Our ntp.conf settings are as follows:
> restrict default limited kod notrap nopeer
> restrict
> restrict ::
> driftfile /var/lib/ntp/drift
> keys /etc/ntp/keys
> logconfig=all
> logfile /var/log/ntp.log
> Thank you once again for your help!
> Regards

 The 8-12 Mbps is because your server is being used in a DDoS attack!

Add 'noquery' to the end of the first restrict line and restart.

If you run 'ntpdc -nc monlist YOUR_HOST' before applying, you will see
that, for one small query, you get a list of 600 hosts using your server
back. There's an active attack going around, in which abusers are doing
this with forged IPs (which works since it's UDP traffic) to amplify their

(Note that the monlist query will still work from localhost after
restarting, but not other hosts -- because the 2nd and 3rd lines apply no
restrictions to localhost, which is fine. Test from another host to make
sure the monlist query doesn't work (it should time out).)

more information on the attack.

More information about the pool mailing list