[Pool] DDoS Type Attack

Harlan Stenn stenn at ntp.org
Sun Feb 16 22:22:29 UTC 2014


Nyamul Hassan writes:
> Thank you Fabian Wenk for your response.  All these 8-12 Mbps is against
> 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps
> each.
> 
> We also noted that, almost invariably, the remote ports are not 123.
> 
> Our ntp.conf settings are as follows:
> 
> restrict default limited kod notrap nopeer

Add noquery to the above list or your machines will allow DDoSing other
folks.

H
--
> restrict 127.0.0.1
> restrict ::
> driftfile /var/lib/ntp/drift
> keys /etc/ntp/keys
> logconfig=all
> logfile /var/log/ntp.log
> 
> Thank you once again for your help!
> 
> Regards
> HASSAN
> 
> 
> 
> 
> On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <fabian at wenks.ch> wrote:
> 
> > Hello Nyamul
> >
> >
> > On 16.02.14 04:33, Nyamul Hassan wrote:
> >
> >> After enabling each of them, we tried "disabling" the rule we enforced
> >> earlier (the one blocking remote clients which did not have a source port
> >> of 123) for one of our "high target" servers.  As soon as we lifted that
> >> rule, that server spiked outbound UDP traffic around 8-12 Mbps level
> >> throughout the 1-2 hours we kept the test running.
> >>
> >
> > I do not know what bandwidth you have set for the Pool and in which zone
> > this server is. This would be helpful to know, as this does have quite an
> > impact on how many requests the server is getting. E.g. if you have set it
> > to 1 Gbit/s and are in a zone and region with just a few server, you could
> > get much more traffic, then with a lower bandwidth in a zone / region with
> > a lot of servers. Depending on this 2 parameters, eventually the 8-12
> > Mbits/s are just normal legit ntp requests.
> >
> > I do have some other questions.
> >
> > Are you seeing the same amount of requests or packets in inbound and
> > outbound?
> >
> > What are your settings for the 'restrict default' line in ntp.conf, are
> > you using the options below?
> >
> > restrict default limited kod notrap nomodify nopeer noquery
> >
> > As suggested from Rob Janssen, you may leave out the 'kod' option.
> >
> >
> >  Can someone suggest where the rules are failing to stop outbound traffic
> >> over extended periods?
> >>
> >
> > If this are legit requests, then you should not block outbound traffic to
> > them, you should serve them with time.
> >
> > My recommendation is to let ntpd do the rate limiting and not blocking /
> > limiting traffic with iptables or such.
> >
> >
> > bye
> > Fabian
> >
> > _______________________________________________
> > pool mailing list
> > pool at lists.ntp.org
> > http://lists.ntp.org/listinfo/pool
> >
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool
> 


More information about the pool mailing list