[Pool] defending against DDoS attacks

Brian Rak brak at constant.com
Fri Feb 21 15:08:42 UTC 2014


On 2/21/2014 5:15 AM, Jim Reid wrote:
> On 20 Feb 2014, at 20:42, Brian Rak <brak at constant.com> wrote:
>
>> You generally only need rate limits if you have monlist enabled for some reason.  There's no reason to expose monlist to the internet, so you shouldn't need rate limits..
>>
>> I've lost track of how many times I've said this, but iptables is not the solution to these attacks.  The solution is fixing your config to disable monlist (add noquery to your 'restrict default' lines).
> This is somewhat misleading.
>
> Yes of course disabling monlist is a Very Good Thing and everyone should do it. However that simply isn't enough and it's quite wrong of you to imply otherwise.
So far, I've seen this exact situation play out multiple times. Someone 
says 'What iptables rules do I need?' or 'I came up with these iptables 
rules', and it turns out they still have monlist enabled.  These 
problems tend to go away when you disable monlist (unless you're 
actually the target of an attack)

> FYI when my server was attacked (50-100Kqps), no monlist queries were involved. This was disabled in the server too. The script kiddies didn't seem to be all that bothered about amplification as an attack vector. So whatever they got from a straight reflection attack was good enough from their perspective. Assuming those cretins applied any thought before mounting the attack.
If you're server is being attacked, this is a far different story. If 
you're being attacked, no amount of NTPD configuration is going to fix 
it.  If you're actually the target, iptables isn't going to help 
either.  These attacks very quickly get into the tens of gigabits range, 
probably much higher.



More information about the pool mailing list