Anssi Johansson kirjoitti:
It happened again today. This time I had tcpdump running and captured
the traffic: http://tursas.miuku.net/tmp/ntp.tursas.2.tcpdump.gz
13:26:19.545411 IP 27.50.2.183.http > tursas.miuku.net.ntp: NTPv2,
Reserved, length 160
13:26:19.545452 IP tursas.miuku.net.ntp > 27.50.2.183.http: NTPv2,
Reserved, length 488
13:26:19.545461 IP tursas.miuku.net.ntp > 27.50.2.183.http: NTPv2,
Reserved, length 488
13:26:19.545466 IP tursas.miuku.net.ntp > 27.50.2.183.http: NTPv2,
Reserved, length 488
...
I ended up adding something like this to my firewall:
iptables -A INPUT -p udp --dport 123 -m string --algo bm --from 27 --to
28 --hex-string '|1700022A|' -m limit --limit 1/minute -j LOG
--log-prefix "NTP:"
iptables -A INPUT -p udp --dport 123 -m string --algo bm --from 27 --to
28 --hex-string '|1700022A|' -j DROP
This iptables configuration should prevent this specific attack,
although it's probably ineffective against variations on the theme.
I have now also added the suggested "limited kod" option to my ntpd
configuration. I'll keep an eye on the situation to see if more tweaks
are needed.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
