Reflective multiplication attacks are the current vogue. Send a small
DNS query with a forged return address to a authoritative server and get
a much larger reply in turn.
NTP wouldn't be a good target for such an attack because the response is
the same size as the query. Could still be used in a reflective attack
but it wouldn't have the multiplication effect of a reflective DNS attack.
I put a rate limit on my DNS server to keep it from being used for this
sort of attack. Also have a rate limit on NTPD. In the long run the
only solution to this problem is for ISPs to stop forged packets as
their network edge. There's no reason they should be dumping packets
with return addresses outside their network onto the internet.
Tim
On 5/9/2013 10:05 AM, AlbyVA wrote:
Given this new age of Botnet Armies DDoSing servers for a variety of
reasons, this is something
to keep an eye on. Config Fat fingers can be fixed once word gets back
to the source. But deliberate
attacks may become more of a pain in the rear.
I now wonder about the implications if a DDoS attack is directed at
pool.ntp.org <http://pool.ntp.org> or the XX.ntpns.org
<http://XX.ntpns.org>
DNS servers. That might not be cool.
-Alby
On Thu, May 9, 2013 at 8:55 AM, <[email protected]
<mailto:[email protected]>> wrote:
Flood stopped around 22:50 EDT
Tim
On 5/8/2013 6:49 PM, [email protected] <mailto:[email protected]>
wrote:
I just fired off an e-mail to their abuse department. If you do the
same perhaps they'll take it seriously enough to investigate.
Might be
a reflective attack that they can't do anything about, but if
it's just
a customer with a badly configured NTP client they ought to be
able to
resolve the issue for us.
Tim
On 05/08/2013 10:58 AM, Stuart Berry wrote:
I have just checked my logs and I'm getting between 300 - 1500
requests a second from this IP. Looks like its been
happening for
roughly the last 72 hours.
I've just blocked it at my edge, not sure if its worth
worrying about
any further. I'll monitor it for the next few days and if it
doesn't
subside I'll contact the abuse for that block.
Stuart.
AlbyVA <[email protected] <mailto:[email protected]>> wrote:
I would contact your provider's abuse/security group
about a possible
DDoS attack from this address.
They should be able to filter the traffic before it eats up your
bandwidth.
AS | IP | AS Name
12083 | 75.76.155.206 | WOW-INTERNET - WideOpenWest
Finance LLC
-Alby
On Wed, May 8, 2013 at 10:03 AM, <[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
For the last six hours or so I have seen an obnoxious
rate of
requests (ranging from 60 to 300 per second) from the
aforementioned
IP. Not sure if it's a badly implemented client or
someone trying
to use my server for some sort of reflective attack.
It has long
since been blocked by my firewall but I've been running
servers in
the pool for a few years now and never had to deal with
this before.
Curious if anybody else has seen this? Any suggestions
for what to
do about it other than block the traffic at my edge and
wait for it
to die down?
___________________________________________________
pool mailing list
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
http://lists.ntp.org/listinfo/____pool
<http://lists.ntp.org/listinfo/__pool>
<http://lists.ntp.org/__listinfo/pool
<http://lists.ntp.org/listinfo/pool>>
_________________________________________________
pool mailing list
[email protected] <mailto:[email protected]>
http://lists.ntp.org/listinfo/__pool
<http://lists.ntp.org/listinfo/pool>
_________________________________________________
pool mailing list
[email protected] <mailto:[email protected]>
http://lists.ntp.org/listinfo/__pool
<http://lists.ntp.org/listinfo/pool>
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
