Anssi Johansson kirjoitti:
Anssi Johansson kirjoitti:
It happened again today. This time I had tcpdump running and captured
the traffic: http://tursas.miuku.net/tmp/ntp.tursas.2.tcpdump.gz
13:26:19.545411 IP 27.50.2.183.http > tursas.miuku.net.ntp: NTPv2,
Reserved, length 160
13:26:19.545452 IP tursas.miuku.net.ntp > 27.50.2.183.http: NTPv2,
Reserved, length 488
13:26:19.545461 IP tursas.miuku.net.ntp > 27.50.2.183.http: NTPv2,
Reserved, length 488
13:26:19.545466 IP tursas.miuku.net.ntp > 27.50.2.183.http: NTPv2,
Reserved, length 488
...
I ended up adding something like this to my firewall:
iptables -A INPUT -p udp --dport 123 -m string --algo bm --from 27 --to
28 --hex-string '|1700022A|' -m limit --limit 1/minute -j LOG
--log-prefix "NTP:"
iptables -A INPUT -p udp --dport 123 -m string --algo bm --from 27 --to
28 --hex-string '|1700022A|' -j DROP
This iptables configuration should prevent this specific attack,
although it's probably ineffective against variations on the theme.
I have now also added the suggested "limited kod" option to my ntpd
configuration. I'll keep an eye on the situation to see if more tweaks
are needed.
The above iptables rule seems to work. At this very moment I'm again
receiving such requests from the same (likely forged) source address,
but this time they're blocked by the firewall. Once again the same two
NTP servers are affected.
I'd urge everyone on this list to check if their servers are seeing
traffic from 27.50.2.183 ('tcpdump -n host 27.50.2.183' for example). If
your server is sending excessive amounts of packets to that host, please
adjust your server configuration accordingly. Thanks.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
