It's an attack designed to use up bandwidth. UDP reflection attacks are
very easy to do, and require very little skill. While trivial to block,
it still requires that the person under attack contact their provider
and get the blocks applied upstream. This can take awhile to do, making
this a very effective DDOS. These attacks easily reach 1gbps, so most
server uplinks are not going to be able to handle them. We haven't yet
seen any NTP reflection attacks, but I'm sure it's coming.
On 11/5/2013 8:10 AM, Marek Podmaka wrote:
Hello,
How would someone benefit from DDoSing UDP port 80?
NTP itself can rate limit responses per source ip.
Tuesday, November 5, 2013, 4:54:38, Justin wrote:
I have two machines that participate in the ntp pool project, and I
received an abuse email today. Basically, my server was DDOS someone
else, ntp reflection attack. Obviously that is not something I want to
do. By default my ntp server allows any that connect to port 123.
These ddos were sending the responses back to someone's port 80, which
is causing me the headache. My first step will be to lock the ntp down
to port 123 and ports above 1024 for people behind a nat. I was also
going to place iptables rate limit. Is there anything else I should be
doing? I have read about the restrict limited and discard statement in
ntp.conf, but I'm not sure if that will help here. All my solutions have
been outside ntp.conf, so I know I have to be overlooking something. I
have never had problems with aggressive clients or ntp reflection dos
before. I also really do not care about aggressive clients even now.
The system particulars, Ubuntu 13.10/x86, which uses ntp
4.2.6.p5+dfsg-3ubuntu2. Any assistance is welcomed.
Thanks again.
Justin
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
