I'm impressed that they were able to manage any mitigation at all at that level.
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Mon, Feb 10, 2014 at 9:05 PM, Kennedy, Jim <[email protected]>wrote: > Sounds like everyone here got off easy. > > > > http://www.securityweek.com/cloudflare-infrastructure-hit-400gbs-ntp-based-ddos-attack?utm_source=dlvr.it&utm_medium=twitter > > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Joe Matuscak [[email protected]] > Sent: Monday, February 10, 2014 4:51 PM > To: [email protected] > Subject: Re: [NTSysADM] NTP Attack Anyone? > > In the case of NTP, you can circumvent the attack by changing the ntp.conf > file > to add the "noquery" option, something like: > > restrict default kod nomodify notrap nopeer noquery > > This kills the ability to do management queries to the server, so you may > want > to add something to allow your internal systems to do the queries, like... > > restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer > > after the first "restrict" line. > > ----- Original Message ----- > > On Mon, Feb 10, 2014 at 12:02 PM, Kelsey, John <[email protected]> > wrote: > > > Looks like we're getting bombarded with an NTP attack. Over 250k hits > in > > > the last hour. Anybody else out there having similar issues today? > We're > > > dropping the traffic at our firewall, but its pretty much put our > internet > > > out of commission. :/ > > > > We suffered this last weekend. I had Friday off, and heard about > > Internet slowness from users on Monday. I identified the issue by > > doing a quick tcpdump on the external interface of our firewall, and > > configured a rule to drop all inbound NTP requests. I got an email > > from our ISP in the next hour from their abuse desk, and was able to > > reply that I had fixed the problem. > > > > US Cert has issued a more generic warning regarding UDP amplification > > attacks, including NTP, DNS, NBNS and SNMPv2, among others: > > https://www.us-cert.gov/ncas/alerts/TA14-017A > > > > You can talk with your ISP about blocking these UDP protocols inbound > > somewhere upstream, if you don't need them. > > > > Kurt > > > > > > > > -- > Thanks, > > Joe Matuscak | Director of Technology > Rohrer Corporation | Office: 330-335-1541 > 717 Seville Road | Wadsworth, Ohio 44281 > www.rohrer.com | A Better Package > > > > > >
