Hey there, I've received the same "DOS-Warning" from Hetzner (www.hetzner.de). Interestingly, the time and IP range is different. I've received the email at around 08:00 UTC (Sunday), with IPs in the 47.1.x.x subnet.
From the logs I agree it looks to be a standard spoofed request. There's not much we can do about it. Most probably the Hetzner DOS detection just hit a false positive. I have also implemented rate-limiting in the firewall, but with spoofed source IPs that's obviously not going to help. Cheers, Helge Döring P.S.: Attaching the log P.P.S: Whois for me (one random IP): # The following results may also be obtained via: # https://whois.arin.net/rest/nets;q=47.1.130.17?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2 # NetRange: 47.0.0.0 - 47.7.255.255 CIDR: 47.0.0.0/13 NetName: BNR NetHandle: NET-47-0-0-0-1 Parent: NET47 (NET-47-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Bell-Northern Research (BELLNO) RegDate: 1989-01-06 Updated: 2016-02-09 Ref: https://whois.arin.net/rest/net/NET-47-0-0-0-1 OrgName: Bell-Northern Research OrgId: BELLNO Address: 3500 Carling Avenue City: Ottawa StateProv: ON PostalCode: K2H 8E9 Country: CA RegDate: 1989-01-06 Updated: 2013-12-23 Ref: https://whois.arin.net/rest/org/BELLNO LOG (shortened due to size restrictions): ########################################################################## # Portscan detected from host 178.63.9.212 # ########################################################################## time protocol src_ip src_port dest_ip dest_port --------------------------------------------------------------------------- Sun Oct 16 09:53:00 2016 UDP 178.63.9.212 123 => 47.1.16.25 59173 Sun Oct 16 09:53:10 2016 UDP 178.63.9.212 123 => 47.1.200.75 55814 Sun Oct 16 09:53:50 2016 UDP 178.63.9.212 123 => 47.1.115.150 54784 Sun Oct 16 09:53:42 2016 UDP 178.63.9.212 123 => 47.1.76.201 33721 Sun Oct 16 09:52:57 2016 UDP 178.63.9.212 123 => 47.1.253.32 40437 Sun Oct 16 09:53:40 2016 UDP 178.63.9.212 123 => 47.1.181.11 45275 Sun Oct 16 09:53:00 2016 UDP 178.63.9.212 123 => 47.1.156.10 54179 Sun Oct 16 09:53:40 2016 UDP 178.63.9.212 123 => 47.1.43.90 43751 Sun Oct 16 09:53:47 2016 UDP 178.63.9.212 123 => 47.1.150.12 43932 Sun Oct 16 09:53:33 2016 UDP 178.63.9.212 123 => 47.1.130.17 52288 Sun Oct 16 09:53:16 2016 UDP 178.63.9.212 123 => 47.1.125.13 44324 Sun Oct 16 09:53:51 2016 UDP 178.63.9.212 123 => 47.1.100.186 57860 Sun Oct 16 09:53:48 2016 UDP 178.63.9.212 123 => 47.1.68.9 52599 Sun Oct 16 09:52:50 2016 UDP 178.63.9.212 123 => 47.1.235.205 37332 Sun Oct 16 09:53:23 2016 UDP 178.63.9.212 123 => 47.1.178.112 45376 Sun Oct 16 09:53:40 2016 UDP 178.63.9.212 123 => 47.1.136.169 36452 Sun Oct 16 09:53:28 2016 UDP 178.63.9.212 123 => 47.1.52.68 57547 Sun Oct 16 09:53:26 2016 UDP 178.63.9.212 123 => 47.1.81.87 58835 Sun Oct 16 09:53:43 2016 UDP 178.63.9.212 123 => 47.1.250.70 49877 Sun Oct 16 09:53:50 2016 UDP 178.63.9.212 123 => 47.1.208.133 33763 Sun Oct 16 09:53:40 2016 UDP 178.63.9.212 123 => 47.1.254.4 58158 Sun Oct 16 09:53:46 2016 UDP 178.63.9.212 123 => 47.1.78.109 52404 Sun Oct 16 09:53:06 2016 UDP 178.63.9.212 123 => 47.1.214.47 47425 Sun Oct 16 09:53:36 2016 UDP 178.63.9.212 123 => 47.1.116.130 41712 Sun Oct 16 09:53:05 2016 UDP 178.63.9.212 123 => 47.1.85.8 42272 Sun Oct 16 09:53:10 2016 UDP 178.63.9.212 123 => 47.1.30.30 52465 Sun Oct 16 09:52:58 2016 UDP 178.63.9.212 123 => 47.1.76.219 54854 Sun Oct 16 09:53:02 2016 UDP 178.63.9.212 123 => 47.1.115.49 38157 Sun Oct 16 09:53:37 2016 UDP 178.63.9.212 123 => 47.1.137.200 44527 [......] Sun Oct 16 09:53:46 2016 UDP 178.63.9.212 123 => 47.1.20.157 55845 Sun Oct 16 09:53:42 2016 UDP 178.63.9.212 123 => 47.1.146.241 50776 Sun Oct 16 09:52:52 2016 UDP 178.63.9.212 123 => 47.1.158.25 50776 Sun Oct 16 09:53:11 2016 UDP 178.63.9.212 123 => 47.1.4.25 38847 Sun Oct 16 09:53:37 2016 UDP 178.63.9.212 123 => 47.1.200.14 44922 Sun Oct 16 09:53:47 2016 UDP 178.63.9.212 123 => 47.1.87.217 50197 Sun Oct 16 09:53:47 2016 UDP 178.63.9.212 123 => 47.1.164.169 59855 Sun Oct 16 09:53:31 2016 UDP 178.63.9.212 123 => 47.1.207.149 59125 Sun Oct 16 09:53:49 2016 UDP 178.63.9.212 123 => 47.1.24.57 37823 Sun Oct 16 09:53:12 2016 UDP 178.63.9.212 123 => 47.1.4.145 53294 Sun Oct 16 09:53:40 2016 UDP 178.63.9.212 123 => 47.1.39.193 55453 Sun Oct 16 09:53:50 2016 UDP 178.63.9.212 123 => 47.1.205.229 35820 Sun Oct 16 09:53:18 2016 UDP 178.63.9.212 123 => 47.1.217.121 43010 Sun Oct 16 09:53:38 2016 UDP 178.63.9.212 123 => 47.1.213.91 52473 Sun Oct 16 09:52:37 2016 UDP 178.63.9.212 123 => 47.1.192.75 36366 Sun Oct 16 09:53:31 2016 UDP 178.63.9.212 123 => 47.1.0.127 54615 Sun Oct 16 09:53:45 2016 UDP 178.63.9.212 123 => 47.1.216.146 33897 Sun Oct 16 09:52:54 2016 UDP 178.63.9.212 123 => 47.1.177.159 44392 Sun Oct 16 09:52:58 2016 UDP 178.63.9.212 123 => 47.1.108.202 54862 ------------------ Am 17.10.2016 um 10:54 schrieb Ralf Hildebrandt: > I received an abuse complaint today, 213.239.204.119 is/was memeber of > pool.ntp.org. > > The destination IP belong to: > > inetnum: 49.8.0.0 - 49.11.255.255 > netname: SixKanet > descr: SixKanet > descr: 78 Garak-dong, Songpa-gu, Seoul > > Is this an NTP reflection/amplification attack? What can I do? > I'm running: 4.2.8p4+dfsg-3ubuntu5.3 from Ubuntu > > My config: > > driftfile /var/lib/ntp/ntp.drift > statistics loopstats peerstats clockstats > filegen loopstats file loopstats type day enable > filegen peerstats file peerstats type day enable > filegen clockstats file clockstats type day enable > > server time.fu-berlin.de > server ntps1-1.cs.tu-berlin.de > server ntps1-0.cs.tu-berlin.de > server ntp1.fau.de > server ntp2.fau.de > server ptbtime2.ptb.de > server ptbtime1.ptb.de > > restrict -4 default kod notrap nomodify nopeer noquery > restrict -6 default kod notrap nomodify nopeer noquery > restrict 127.0.0.1 > restrict ::1 > > >> ########################################################################## >> # Portscan detected from host 213.239.204.119 # >> ########################################################################## >> >> time protocol src_ip src_port dest_ip dest_port >> --------------------------------------------------------------------------- >> Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77 48943 >> [...] >> Sun Oct 16 23:26:10 2016 UDP 213.239.204.119 123 => 49.9.217.207 54715 _______________________________________________ pool mailing list pool@lists.ntp.org http://lists.ntp.org/listinfo/pool