2 rules, one chain forward one chain input, both for IN interface WAN udp dst port 123 action reject?
On Thu, Jan 1, 2015 at 12:01 AM, Mike Hammett <[email protected]> wrote: > Reject on the forward and input chains UDP dst port 123 on your upstream > interfaces. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > > ------------------------------ > *From: *"TJ Trout" <[email protected]> > *To: *"Mikrotik Users" <[email protected]> > *Sent: *Thursday, January 1, 2015 1:18:49 AM > *Subject: *[Mikrotik Users] Fwd: Exploitable NTP server used for an > attack: 162.222.29.109 > > > How can I block or rate limit this on my edge router? > ---------- Forwarded message ---------- > From: "NFOservers.com DDoS notifier" <[email protected]> > Date: Dec 31, 2014 8:18 PM > Subject: Exploitable NTP server used for an attack: 162.222.29.109 > To: <[email protected]> > Cc: > > A public NTP server on your network, running on IP address 162.222.29.109 > and UDP port 123, participated in a very large-scale attack against a > customer of ours, generating UDP responses to spoofed "monlist" requests > that claimed to be from the attack target. > > Please consider reconfiguring this NTP server in one or more of these ways: > > 1. If you run ntpd, upgrading to the latest version, which removes the > "monlist" command that is used for these attacks; alternately, disabling > the monitoring function by adding "disable monitor" to your /etc/ntp.conf > file. > 2. Setting the NTP installation to act as a client only. With ntpd, that > can be done with "restrict default ignore" in /etc/ntp.conf; other daemons > should have a similar configuration option. More information on configuring > different devices can be found here: > https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html. > 3. Adjusting your firewall or NTP server configuration so that it only > serves your users and does not respond to outside IP addresses. > > If you don't mean to run a public NTP server, we recommend #1 and #2. If > you do mean to run a public NTP server, we recommend #1, and also that you > rate-limit responses to individual source IP addresses -- silently > discarding those that exceed a low number, such as one request per IP > address per second. Rate-limit functionality is built into many > recently-released NTP daemons, including ntpd, but needs to be enabled; it > would help with different types of attacks than this one. > > Fixing open NTP servers is important; with the 1000x+ amplification factor > of NTP DRDoS attacks -- one 40-byte-long request can generate up to 46800 > bytes worth of response traffic -- it only takes one machine on an > unfiltered 100 Mbps link to create a 100+ Gbps attack! > > If you are an ISP, please also look at your network configuration and make > sure that you do not allow spoofed traffic (that pretends to be from > external IP addresses) to leave the network. Hosts that allow spoofed > traffic make possible this type of attack. > > Further reading: > > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks > https://isc.sans.org/forums/diary/NTP+reflection+attack/17300 > > http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks > > http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&smlogin=true > > You can find more vulnerable servers on a network through this site: > http://openntpproject.org/ > > Example NTP responses from the host during this attack are given below. > Date/timestamps (far left) are UTC. > > 2015-01-01 04:04:54.857628 IP 162.222.29.109.123 > 74.91.117.x.27015: > NTPv2, Reserved, length 440 > 0x0000: 4510 01d4 e96b 4000 3b11 d405 a2de 1d6d E....k@.;......m > 0x0010: 4a5b 75f1 007b 6987 01c0 0f7e d740 032a J[u..{i....~.@.* > 0x0020: 0006 0048 0000 0001 0001 373b 0000 0000 ...H......7;.... > 0x0030: 0000 0003 739f 40f3 c0a8 0afa 0100 0000 ....s.@......... > 0x0040: 02bc 0702 0000 0000 0000 0000 0000 0000 ................ > 0x0050: 0000 .. > 2015-01-01 04:04:54.860210 IP 162.222.29.109.123 > 74.91.117.x.27015: > NTPv2, Reserved, length 440 > 0x0000: 4510 01d4 e96c 4000 3b11 d404 a2de 1d6d E....l@.;......m > 0x0010: 4a5b 75f1 007b 6987 01c0 6dfd d741 032a J[u..{i...m..A.* > 0x0020: 0006 0048 0000 0000 0001 3801 0000 0000 ...H......8..... > 0x0030: 0000 0001 7929 6cbf c0a8 0afa 0100 0000 ....y)l......... > 0x0040: 02bc 0702 0000 0000 0000 0000 0000 0000 ................ > 0x0050: 0000 .. > 2015-01-01 04:04:54.860336 IP 162.222.29.109.123 > 74.91.117.x.27015: > NTPv2, Reserved, length 440 > 0x0000: 4510 01d4 e96d 4000 3b11 d403 a2de 1d6d E....m@.;......m > 0x0010: 4a5b 75f1 007b 6987 01c0 0d0b d742 032a J[u..{i......B.* > 0x0020: 0006 0048 0000 0002 0001 38d0 0000 0000 ...H......8..... > 0x0030: 0000 00dd 7b82 7c49 c0a8 0afa 0100 0000 ....{.|I........ > 0x0040: 2110 0702 0000 0000 0000 0000 0000 0000 !............... > 0x0050: 0000 .. > 2015-01-01 04:04:54.862451 IP 162.222.29.109.123 > 74.91.117.x.27015: > NTPv2, Reserved, length 440 > 0x0000: 4510 01d4 e96e 4000 3b11 d402 a2de 1d6d E....n@.;......m > 0x0010: 4a5b 75f1 007b 6987 01c0 b669 d743 032a J[u..{i....i.C.* > 0x0020: 0006 0048 0000 0007 0001 3982 0000 0000 ...H......9..... > 0x0030: 0000 0011 ad2c 227a c0a8 0afa 0100 0000 .....,"z........ > 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. > 0x0050: 0000 .. > 2015-01-01 04:04:54.864928 IP 162.222.29.109.123 > 74.91.117.x.27015: > NTPv2, Reserved, length 440 > 0x0000: 4510 01d4 e96f 4000 3b11 d401 a2de 1d6d E....o@.;......m > 0x0010: 4a5b 75f1 007b 6987 01c0 7f1e d744 032a J[u..{i......D.* > 0x0020: 0006 0048 0000 0003 0001 3d55 0000 0000 ...H......=U.... > 0x0030: 0000 00d3 05e7 39d1 c0a8 0afa 0100 0000 ......9......... > 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. > 0x0050: 0000 .. > 2015-01-01 04:04:54.867627 IP 162.222.29.109.123 > 74.91.117.x.27015: > NTPv2, Reserved, length 440 > 0x0000: 4510 01d4 e970 4000 3b11 d400 a2de 1d6d E....p@.;......m > 0x0010: 4a5b 75f1 007b 6987 01c0 33ef d745 032a J[u..{i...3..E.* > 0x0020: 0006 0048 0000 0009 0001 404f 0000 0000 ...H......@O.... > 0x0030: 0000 0008 d129 4ef2 c0a8 0afa 0100 0000 .....)N......... > 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. > 0x0050: 0000 .. > > > (The final octet of our customer's IP address is masked in the above > output because some automatic parsers become confused when multiple IP > addresses are included. The value of that octet is "241".) > > -John > President > Nuclearfallout, Enterprises, Inc. (NFOservers.com) > > (We're sending out so many of these notices, and seeing so many > auto-responses, that we can't go through this email inbox effectively. If > you have follow-up questions, please contact us at [email protected].) > > _______________________________________________ > Mikrotik-users mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/mikrotik-users > > > _______________________________________________ > Mikrotik-users mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/mikrotik-users > >
_______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
