Well, this would be blocking NTP inbound to your network. Do you have any NTP servers that should be answering to the outside? Incoming interface is your upstream interface.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Mike Francis - JMF Solutions" <[email protected]> To: "Mikrotik Users" <[email protected]> Sent: Thursday, January 1, 2015 9:37:02 AM Subject: Re: [Mikrotik Users] Fwd: Exploitable NTP server used for an attack: 162.222.29.109 Blocking ntp for your entire network is not a good idea. Lots of other things need it. The best option is to setup a primary and secondary ntp server on your network which will provide ntp to all things that need it. In this case you would allow your ntp server(s) and block all other ntp on input. Blocking ntp on forward is not a good idea either. Optionally you can choose a couple of ntp servers that you trust, allow those on input and block everything else. Still you should not block ntp on forward. Instead take the time to setup the same rules on your other routers and servers. Happy New Year! -- John Michael Francis II JMF Solutions, Inc Wavefly Technologies 251-517-5069 http://jmfsolutions net http://wavefly.com On January 1, 2015 2:01:59 AM CST, Mike Hammett <[email protected]> wrote: Reject on the forward and input chains UDP dst port 123 on your upstream interfaces. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "TJ Trout" <[email protected]> To: "Mikrotik Users" <[email protected]> Sent: Thursday, January 1, 2015 1:18:49 AM Subject: [Mikrotik Users] Fwd: Exploitable NTP server used for an attack: 162.222.29.109 How can I block or rate limit this on my edge router? ---------- Forwarded message ---------- From: "NFOservers.com DDoS notifier" < [email protected] > Date: Dec 31, 2014 8:18 PM Subject: Exploitable NTP server used for an attack: 162.222.29.109 To: < [email protected] > Cc: A public NTP server on your network, running on IP address 162.222.29.109 and UDP port 123, participated in a very large-scale attack against a customer of ours, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target. Please consider reconfiguring this NTP server in one or more of these ways: 1. If you run ntpd, upgrading to the latest version, which removes the "monlist" command that is used for these attacks; alternately, disabling the monitoring function by adding "disable monitor" to your /etc/ntp.conf file. 2. Setting the NTP installation to act as a client only. With ntpd, that can be done with "restrict default ignore" in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html . 3. Adjusting your firewall or NTP server configuration so that it only serves your users and does not respond to outside IP addresses. If you don't mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses -- silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one. Fixing open NTP servers is important; with the 1000x+ amplification factor of NTP DRDoS attacks -- one 40-byte-long request can generate up to 46800 bytes worth of response traffic -- it only takes one machine on an unfiltered 100 Mbps link to create a 100+ Gbps attack! If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack. Further reading: https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks https://isc.sans.org/forums/diary/NTP+reflection+attack/17300 http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10613&smlogin=true You can find more vulnerable servers on a network through this site: http://openntpproject.org/ Example NTP responses from the host during this attack are given below. Date/timestamps (far left) are UTC. 2015-01-01 04:04:54.857628 IP 162.222.29.109.123 > 74.91.117.x.27015: NTPv2, Reserved, length 440 0x0000: 4510 01d4 e96b 4000 3b11 d405 a2de 1d6d E....k@.;......m 0x0010: 4a5b 75f1 007b 6987 01c0 0f7e d740 032a J[u..{i....~.@.* 0x0020: 0006 0048 0000 0001 0001 373b 0000 0000 ...H......7;.... 0x0030: 0000 0003 739f 40f3 c0a8 0afa 0100 0000 ....s.@......... 0x0040: 02bc 0702 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 .. 2015-01-01 04:04:54.860210 IP 162.222.29.109.123 > 74.91.117.x.27015: NTPv2, Reserved, length 440 0x0000: 4510 01d4 e96c 4000 3b11 d404 a2de 1d6d E....l@.;......m 0x0010: 4a5b 75f1 007b 6987 01c0 6dfd d741 032a J[u..{i...m..A.* 0x0020: 0006 0048 0000 0000 0001 3801 0000 0000 ...H......8..... 0x0030: 0000 0001 7929 6cbf c0a8 0afa 0100 0000 ....y)l......... 0x0040: 02bc 0702 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 .. 2015-01-01 04:04:54.860336 IP 162.222.29.109.123 > 74.91.117.x.27015: NTPv2, Reserved, length 440 0x0000: 4510 01d4 e96d 4000 3b11 d403 a2de 1d6d E....m@.;......m 0x0010: 4a5b 75f1 007b 6987 01c0 0d0b d742 032a J[u..{i......B.* 0x0020: 0006 0048 0000 0002 0001 38d0 0000 0000 ...H......8..... 0x0030: 0000 00dd 7b82 7c49 c0a8 0afa 0100 0000 ....{.|I........ 0x0040: 2110 0702 0000 0000 0000 0000 0000 0000 !............... 0x0050: 0000 .. 2015-01-01 04:04:54.862451 IP 162.222.29.109.123 > 74.91.117.x.27015: NTPv2, Reserved, length 440 0x0000: 4510 01d4 e96e 4000 3b11 d402 a2de 1d6d E....n@.;......m 0x0010: 4a5b 75f1 007b 6987 01c0 b669 d743 032a J[u..{i....i.C.* 0x0020: 0006 0048 0000 0007 0001 3982 0000 0000 ...H......9..... 0x0030: 0000 0011 ad2c 227a c0a8 0afa 0100 0000 .....,"z........ 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. 0x0050: 0000 .. 2015-01-01 04:04:54.864928 IP 162.222.29.109.123 > 74.91.117.x.27015: NTPv2, Reserved, length 440 0x0000: 4510 01d4 e96f 4000 3b11 d401 a2de 1d6d E....o@.;......m 0x0010: 4a5b 75f1 007b 6987 01c0 7f1e d744 032a J[u..{i......D.* 0x0020: 0006 0048 0000 0003 0001 3d55 0000 0000 ...H......=U.... 0x0030: 0000 00d3 05e7 39d1 c0a8 0afa 0100 0000 ......9......... 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. 0x0050: 0000 .. 2015-01-01 04:04:54.867627 IP 162.222.29.109.123 > 74.91.117.x.27015: NTPv2, Reserved, length 440 0x0000: 4510 01d4 e970 4000 3b11 d400 a2de 1d6d E....p@.;......m 0x0010: 4a5b 75f1 007b 6987 01c0 33ef d745 032a J[u..{i...3..E.* 0x0020: 0006 0048 0000 0009 0001 404f 0000 0000 ...H......@O.... 0x0030: 0000 0008 d129 4ef2 c0a8 0afa 0100 0000 .....)N......... 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P.............. 0x0050: 0000 .. (The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "241".) -John President Nuclearfallout, Enterprises, Inc. (NFOservers.com) (We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at [email protected] .) _______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users _______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
_______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
