[Pool] defending against DDoS attacks

Michael Rathbun time at rabendary.net
Sat Feb 22 08:10:40 UTC 2014


On Fri, 21 Feb 2014 20:35:03 -0500 (EST), Mouse
<mouse at Rodents-Montreal.ORG> wrote:

>That will continue for a nontrivial time.

Yes; since the amp attacker has no idea whether the target is being
bombarded...  

>That was over a week ago.  I'm still getting high rates of packets to
>port 123, even though I haven't supported monlist for over a week.

I did packet-drop rules in the router for the worst (avg < 4) hosts before
turning off query.  It's at least two months since I last responded to any
external request other than time.  The rules are still there, but six of
the original nine offenders are still chugging away.  Turning off query
caused the number of new high-volume abusers joining the party to drop to
near zero.

Looking at logs for a router on another network that doesn't connect an NTP
server, I see at least one port 123 packet refused per hour, so they are
definitely still looking.

mdr
-- 
         "There are no laws here, only agreements."  
                -- Masahiko



More information about the pool mailing list