Hello
Since yesterday (2. June 2013) around 20:45 (CEST) I have a
massive amount of requests from 176.42.200.13 (may be spoofed)
with over 90'000 packets / min, see [1]. Currently all requests
are originating from UDP port 1042. The mentioned IP address
itself is currently not reachable (ping, traceroute, mtr, http).
This requests do add about 1 Mbit/s to my network traffic, see
[2] (scaled logarithmically). But thanks to the 'limited' option
in ntp.conf my ntpd does not answer to most of those requests.
There is no blocking / limiting firewall rule in place regarding
UDP/123.
[1] http://www.home4u.ch/ntp/ntp1.home4u.ch.html
[2] http://www.home4u.ch/mrtg/gate1.html
According to whois the IP address belongs to:
inetnum: 176.42.200.0 - 176.42.207.255
netname: TR-TELLCOM-BB-FTTX-KON-MER-SAM-TEKD
descr: Tellcom Ankara Fiber Dynamic
country: TR
This is not surprising to me, as my server is also in the tr pool
zone. I am glad I do not see this huge amount of requests on my
other 2 servers and on 2 servers from a friend, which are also in
the tr zone.
Does anybody else with servers in the tr pool zone see such a
request flood?
PS: It would be really nice, if all ISP would only allow outbound
traffic with IP addresses originating from their own networks.
This is the only thing which really could help against spoofed
UPD requests.
bye
Fabian
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
