Hi Chris > Anyone else having NTP based ddos attacks? Any suggestions on how to > prevent them?
Is your NTP Server on your Mikrotik being abused as NTP DDOS Amplificator? Then mikrotik should urgently fix the monlist command. (I have not yet checked if it supports monlist, as I don't use my mikrotik as an NTP server). Or is the monlist command of some devices behind your mikrotik being abused as DDOS amplificator? So please fix those devices, disable the monlist command or restrict it to your networks. For ISC ntpd, just add 'disable monitor' to ntp.conf Or do you want to do deep packed inspection with your mikrotik to filter out monlist requests from outside your network? You probably have to start here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 http://l7-filter.sourceforge.net/layer7-protocols/protocols/ntp.pat But keep in mind, if you manage to match the monlist command inside the NTP packets, that will for sure suck up lots of your mikrotik CPU ressources. I would go for fixing your NTP servers instead of trying to block those packets with deep inspection rules. Mit freundlichen GrĂ¼ssen Benoit Panizzon -- I m p r o W a r e A G - ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
