We run Butche's Firewall script on both networks. I'll swear by it! It took a while to break it in but for the most part It has helped us.
-- Bob Pensworth, WA7BOB | General Manager CresComm WiFi, LLC | Crescent Key | Peninsula Lions Club Serving Washington's Coastal Counties Since 1985 (360) 642-0858 | WISPA Principal Member From: [email protected] [mailto:[email protected]] On Behalf Of Glenn Kelley Sent: Saturday, November 08, 2014 10:10 AM To: Mikrotik Users Subject: Re: [Mikrotik Users] NTP DDOS Attacks Butch is not saying something here - so I will for him. BUY HIS FIREWALL SCRIPT well worth its small cost. On Fri, Nov 7, 2014 at 9:05 AM, Butch Evans <[email protected]> wrote: On 11/07/2014 07:24 AM, Butch Evans wrote: > On 11/07/2014 01:55 AM, Chris Hudson wrote: >> Anyone else having NTP based ddos attacks? Any suggestions on how to >> prevent them? > > Depends on exactly how you want to manage the attacks. If you have NO > public NTP servers on your network, you can block all traffic destined > for UDP port 123 entering on your WAN port in both the input and forward > chains. If you DO have public NTP servers on your network, then you do > the same, but put an exception to allow UDP port 123 destination IP of > those servers BEFORE the above drop rules. If you don't have any public > IP space on your network, then you simply do the above in the input > rules only. Pretty straightforward. I might add that blocking this on the input chain if you don't hvae public IPs behind your router is ONLY necessary IF you have a running NTP server on your router. -- Butch Evans 702-537-0979 Network Support and Engineering http://store.wispgear.net/ http://www.butchevans.com/ _______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
_______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
