On Mon, Feb 10, 2014 at 12:02 PM, Kelsey, John <[email protected]> wrote: > Looks like we’re getting bombarded with an NTP attack. Over 250k hits in > the last hour. Anybody else out there having similar issues today? We’re > dropping the traffic at our firewall, but its pretty much put our internet > out of commission. :/
We suffered this last weekend. I had Friday off, and heard about Internet slowness from users on Monday. I identified the issue by doing a quick tcpdump on the external interface of our firewall, and configured a rule to drop all inbound NTP requests. I got an email from our ISP in the next hour from their abuse desk, and was able to reply that I had fixed the problem. US Cert has issued a more generic warning regarding UDP amplification attacks, including NTP, DNS, NBNS and SNMPv2, among others: https://www.us-cert.gov/ncas/alerts/TA14-017A You can talk with your ISP about blocking these UDP protocols inbound somewhere upstream, if you don't need them. Kurt
