Butch is not saying something here - so I will for him. BUY HIS FIREWALL SCRIPT
well worth its small cost. On Fri, Nov 7, 2014 at 9:05 AM, Butch Evans <[email protected]> wrote: > On 11/07/2014 07:24 AM, Butch Evans wrote: > > On 11/07/2014 01:55 AM, Chris Hudson wrote: > >> Anyone else having NTP based ddos attacks? Any suggestions on how to > >> prevent them? > > > > Depends on exactly how you want to manage the attacks. If you have NO > > public NTP servers on your network, you can block all traffic destined > > for UDP port 123 entering on your WAN port in both the input and forward > > chains. If you DO have public NTP servers on your network, then you do > > the same, but put an exception to allow UDP port 123 destination IP of > > those servers BEFORE the above drop rules. If you don't have any public > > IP space on your network, then you simply do the above in the input > > rules only. Pretty straightforward. > > I might add that blocking this on the input chain if you don't hvae > public IPs behind your router is ONLY necessary IF you have a running > NTP server on your router. > > -- > Butch Evans > 702-537-0979 > Network Support and Engineering > http://store.wispgear.net/ > http://www.butchevans.com/ > _______________________________________________ > Mikrotik-users mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/mikrotik-users >
_______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
