My server sits behind an IPcop with snort/guardian modifications (guardian blocks IP's based on snort rules). I've added the following rule into local.rules. It is untested as yet. If anybody cares to check it I'd be grateful. The intent is to block any IP that hits more than 30 times in any 15 minute period.
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"NTP abuse"; threshold: type threshold, track by_src, count 30, seconds 900; priority: 1; classtype:non-standard-protocol; sid:2000004;) Laurence wrote: > After a bit more Googling I found a pdf which suggests the units for the > first two parameters are seconds: > > "If a packet arrives less than two seconds after the previous packet it is > dropped and a KoD sent if configured. > 2. If the exponentially averaged interval between packets is less than > five seconds, succeeding packets are dropped and a KoD sent if > configured." > > (Near the bottom of page 9: > http://www.cis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf ) > > >> No, this feature is next to useless. >> I have tried it for a while, but: >> >> - there is no other recovery from a blocked address than restart of ntpd >> or overflow of the table >> - the feature false-triggers when people use the burst or iburst >> facility. while one would want them not to use it, it happens. and >> there is no path of communication back to the client to tell them "stop >> using burst". so, after a while there are lots of clients blacklisted >> that do not send that much traffic. >> >> Should you want to try it, I used this: >> discard average 15 minimum 1 monitor 1 >> > > Maybe the 'minimum' parameter is a bit low? No idea what time period ntpd > does its exponential averaging over, but maybe they're getting caught by > that? > > Not resetting until ntpd is restarted sounds like a show stopper though. > > >> I tried contacting their local system admin (via address on the website) >> to try to explain they should setup a local server, but never a reply. >> > > Had the same experience with a financial organisation, didn't ever manage > to get through to someone who understood and they seem to have gone away > for now. > > >> There should have been a messaging feature in NTP. >> > > Sounds like a plan. Also sounds like fun for hackers ;) > > Laurence > > _______________________________________________ > timekeepers mailing list > [email protected] > https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
