This particular device does not have nap server enabled. It's my core router facing my upstream. I have a filter rule to drop port 123 but it isn't curbing the effects. My whole pipe of course is being eaten up. I have currently disabled that interface and am running on my secondary connection. It did this last night from 1 am to 3 am my time and started right at 1 am again today. Also for about 10 to 15 minutes right around 5 pm this evening.
Sent via the Samsung Galaxy Note® 3, an AT&T 4G LTE smartphone <div>-------- Original message --------</div><div>From: Benoit Panizzon <[email protected]> </div><div>Date:11/07/2014 2:16 AM (GMT-06:00) </div><div>To: Mikrotik discussions <[email protected]> </div><div>Subject: Re: [Mikrotik] NTP DDOS Attack </div><div> </div>Hi Chris > Anyone else having NTP based ddos attacks? Any suggestions on how to > prevent them? Is your NTP Server on your Mikrotik being abused as NTP DDOS Amplificator? Then mikrotik should urgently fix the monlist command. (I have not yet checked if it supports monlist, as I don't use my mikrotik as an NTP server). Or is the monlist command of some devices behind your mikrotik being abused as DDOS amplificator? So please fix those devices, disable the monlist command or restrict it to your networks. For ISC ntpd, just add 'disable monitor' to ntp.conf Or do you want to do deep packed inspection with your mikrotik to filter out monlist requests from outside your network? You probably have to start here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 http://l7-filter.sourceforge.net/layer7-protocols/protocols/ntp.pat But keep in mind, if you manage to match the monlist command inside the NTP packets, that will for sure suck up lots of your mikrotik CPU ressources. I would go for fixing your NTP servers instead of trying to block those packets with deep inspection rules. Mit freundlichen Grüssen Benoit Panizzon -- I m p r o W a r e A G - ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20141107/5092f098/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
