[Pool] DDoS Type Attack

Matt Wagner mwaggy at gmail.com
Mon Feb 17 00:08:54 UTC 2014


On Sun, Feb 16, 2014 at 1:56 PM, Nyamul Hassan <nyamul at gmail.com> wrote:

> Thank you Fabian Wenk for your response.  All these 8-12 Mbps is against
> 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps
> each.
>
> We also noted that, almost invariably, the remote ports are not 123.
>
> Our ntp.conf settings are as follows:
>
> restrict default limited kod notrap nopeer
> restrict 127.0.0.1
> restrict ::
> driftfile /var/lib/ntp/drift
> keys /etc/ntp/keys
> logconfig=all
> logfile /var/log/ntp.log
>
> Thank you once again for your help!
>
> Regards
> HASSAN


 The 8-12 Mbps is because your server is being used in a DDoS attack!

Add 'noquery' to the end of the first restrict line and restart.

If you run 'ntpdc -nc monlist YOUR_HOST' before applying, you will see
that, for one small query, you get a list of 600 hosts using your server
back. There's an active attack going around, in which abusers are doing
this with forged IPs (which works since it's UDP traffic) to amplify their
bandwidth.

(Note that the monlist query will still work from localhost after
restarting, but not other hosts -- because the 2nd and 3rd lines apply no
restrictions to localhost, which is fine. Test from another host to make
sure the monlist query doesn't work (it should time out).)

See
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacksfor
more information on the attack.


More information about the pool mailing list