Re: [Pool] I received an abuse complaint today

Spacy Mon, 17 Oct 2016 10:03:12 -0700

Hey there,

I've received the same "DOS-Warning" from Hetzner (www.hetzner.de).
Interestingly, the time and IP range is different. I've received the
email at around 08:00 UTC (Sunday), with IPs in the 47.1.x.x subnet.


From the logs I agree it looks to be a standard spoofed request. There's
not much we can do about it. Most probably the Hetzner DOS detection
just hit a false positive. I have also implemented rate-limiting in the
firewall, but with spoofed source IPs that's obviously not going to help.

Cheers,

Helge Döring


P.S.: Attaching the log

P.P.S: Whois for me (one random IP):

# The following results may also be obtained via:
#
https://whois.arin.net/rest/nets;q=47.1.130.17?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       47.0.0.0 - 47.7.255.255
CIDR:           47.0.0.0/13
NetName:        BNR
NetHandle:      NET-47-0-0-0-1
Parent:         NET47 (NET-47-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       Organization:   Bell-Northern Research (BELLNO)
RegDate:        1989-01-06
Updated:        2016-02-09
Ref:            https://whois.arin.net/rest/net/NET-47-0-0-0-1


OrgName:        Bell-Northern Research
OrgId:          BELLNO
Address:        3500 Carling Avenue
City:           Ottawa
StateProv:      ON
PostalCode:     K2H 8E9
Country:        CA
RegDate:        1989-01-06
Updated:        2013-12-23
Ref:            https://whois.arin.net/rest/org/BELLNO



LOG (shortened due to size restrictions):

##########################################################################
#              Portscan detected from host    178.63.9.212               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Sun Oct 16 09:53:00 2016 UDP    178.63.9.212 123   =>      47.1.16.25 59173
Sun Oct 16 09:53:10 2016 UDP    178.63.9.212 123   =>     47.1.200.75 55814
Sun Oct 16 09:53:50 2016 UDP    178.63.9.212 123   =>    47.1.115.150 54784
Sun Oct 16 09:53:42 2016 UDP    178.63.9.212 123   =>     47.1.76.201 33721
Sun Oct 16 09:52:57 2016 UDP    178.63.9.212 123   =>     47.1.253.32 40437
Sun Oct 16 09:53:40 2016 UDP    178.63.9.212 123   =>     47.1.181.11 45275
Sun Oct 16 09:53:00 2016 UDP    178.63.9.212 123   =>     47.1.156.10 54179
Sun Oct 16 09:53:40 2016 UDP    178.63.9.212 123   =>      47.1.43.90 43751
Sun Oct 16 09:53:47 2016 UDP    178.63.9.212 123   =>     47.1.150.12 43932
Sun Oct 16 09:53:33 2016 UDP    178.63.9.212 123   =>     47.1.130.17 52288
Sun Oct 16 09:53:16 2016 UDP    178.63.9.212 123   =>     47.1.125.13 44324
Sun Oct 16 09:53:51 2016 UDP    178.63.9.212 123   =>    47.1.100.186 57860
Sun Oct 16 09:53:48 2016 UDP    178.63.9.212 123   =>       47.1.68.9 52599
Sun Oct 16 09:52:50 2016 UDP    178.63.9.212 123   =>    47.1.235.205 37332
Sun Oct 16 09:53:23 2016 UDP    178.63.9.212 123   =>    47.1.178.112 45376
Sun Oct 16 09:53:40 2016 UDP    178.63.9.212 123   =>    47.1.136.169 36452
Sun Oct 16 09:53:28 2016 UDP    178.63.9.212 123   =>      47.1.52.68 57547
Sun Oct 16 09:53:26 2016 UDP    178.63.9.212 123   =>      47.1.81.87 58835
Sun Oct 16 09:53:43 2016 UDP    178.63.9.212 123   =>     47.1.250.70 49877
Sun Oct 16 09:53:50 2016 UDP    178.63.9.212 123   =>    47.1.208.133 33763
Sun Oct 16 09:53:40 2016 UDP    178.63.9.212 123   =>      47.1.254.4 58158
Sun Oct 16 09:53:46 2016 UDP    178.63.9.212 123   =>     47.1.78.109 52404
Sun Oct 16 09:53:06 2016 UDP    178.63.9.212 123   =>     47.1.214.47 47425
Sun Oct 16 09:53:36 2016 UDP    178.63.9.212 123   =>    47.1.116.130 41712
Sun Oct 16 09:53:05 2016 UDP    178.63.9.212 123   =>       47.1.85.8 42272
Sun Oct 16 09:53:10 2016 UDP    178.63.9.212 123   =>      47.1.30.30 52465
Sun Oct 16 09:52:58 2016 UDP    178.63.9.212 123   =>     47.1.76.219 54854
Sun Oct 16 09:53:02 2016 UDP    178.63.9.212 123   =>     47.1.115.49 38157
Sun Oct 16 09:53:37 2016 UDP    178.63.9.212 123   =>    47.1.137.200 44527
[......]
Sun Oct 16 09:53:46 2016 UDP    178.63.9.212 123   =>     47.1.20.157 55845
Sun Oct 16 09:53:42 2016 UDP    178.63.9.212 123   =>    47.1.146.241 50776
Sun Oct 16 09:52:52 2016 UDP    178.63.9.212 123   =>     47.1.158.25 50776
Sun Oct 16 09:53:11 2016 UDP    178.63.9.212 123   =>       47.1.4.25 38847
Sun Oct 16 09:53:37 2016 UDP    178.63.9.212 123   =>     47.1.200.14 44922
Sun Oct 16 09:53:47 2016 UDP    178.63.9.212 123   =>     47.1.87.217 50197
Sun Oct 16 09:53:47 2016 UDP    178.63.9.212 123   =>    47.1.164.169 59855
Sun Oct 16 09:53:31 2016 UDP    178.63.9.212 123   =>    47.1.207.149 59125
Sun Oct 16 09:53:49 2016 UDP    178.63.9.212 123   =>      47.1.24.57 37823
Sun Oct 16 09:53:12 2016 UDP    178.63.9.212 123   =>      47.1.4.145 53294
Sun Oct 16 09:53:40 2016 UDP    178.63.9.212 123   =>     47.1.39.193 55453
Sun Oct 16 09:53:50 2016 UDP    178.63.9.212 123   =>    47.1.205.229 35820
Sun Oct 16 09:53:18 2016 UDP    178.63.9.212 123   =>    47.1.217.121 43010
Sun Oct 16 09:53:38 2016 UDP    178.63.9.212 123   =>     47.1.213.91 52473
Sun Oct 16 09:52:37 2016 UDP    178.63.9.212 123   =>     47.1.192.75 36366
Sun Oct 16 09:53:31 2016 UDP    178.63.9.212 123   =>      47.1.0.127 54615
Sun Oct 16 09:53:45 2016 UDP    178.63.9.212 123   =>    47.1.216.146 33897
Sun Oct 16 09:52:54 2016 UDP    178.63.9.212 123   =>    47.1.177.159 44392
Sun Oct 16 09:52:58 2016 UDP    178.63.9.212 123   =>    47.1.108.202 54862

------------------



Am 17.10.2016 um 10:54 schrieb Ralf Hildebrandt:
> I received an abuse complaint today, 213.239.204.119 is/was memeber of
> pool.ntp.org.
>
> The destination IP belong to:
>
> inetnum:        49.8.0.0 - 49.11.255.255
> netname:        SixKanet
> descr:          SixKanet
> descr:          78 Garak-dong, Songpa-gu, Seoul
>
> Is this an NTP reflection/amplification attack? What can I do?
> I'm running: 4.2.8p4+dfsg-3ubuntu5.3 from Ubuntu
>
> My config:
>
> driftfile /var/lib/ntp/ntp.drift
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
>
> server time.fu-berlin.de
> server ntps1-1.cs.tu-berlin.de
> server ntps1-0.cs.tu-berlin.de
> server ntp1.fau.de
> server ntp2.fau.de
> server ptbtime2.ptb.de
> server ptbtime1.ptb.de
>
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
>
>
>> ##########################################################################
>> #              Portscan detected from host 213.239.204.119               #
>> ##########################################################################
>>
>> time                protocol src_ip src_port          dest_ip dest_port
>> ---------------------------------------------------------------------------
>> Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123   =>     49.9.253.77 48943
>> [...]
>> Sun Oct 16 23:26:10 2016 UDP 213.239.204.119 123   =>    49.9.217.207 54715



_______________________________________________
pool mailing list
pool@lists.ntp.org
http://lists.ntp.org/listinfo/pool

Re: [Pool] I received an abuse complaint today

Reply via email to