My UK server also got hammered. In early October bandwidth exploded and I shut it down for 2-3 weeks. I turned it on again Oct 30 and set the bandwidth limit to 384kB (It had been 100MB). Sunday bandwidth exploded and my hosting provider null rounted my IPv4 address, they said it was effecting their network. Outbound was 10GB in one hour. TX/RX ratio for the day was 111:1 (from vnstat). Too late for a TCP dump, I had to firewall IPv4 port 123 UDP (IPv6 is still up). My hosting provider reconnected me after I did this.
I did a "ntpdc -c monlist" and of the 600 IPs listed 107 of them were in the form pXXXXXXXX.dip0.t-ipconnect.de. I did IP lookups on several of them and they were very random IPs, all different /8s. Is allowing query a problem? Does that allow amplification? I still have 4 servers in the USA, but they haven't shown any problems yet. E Frank Ball [email protected] On Tue, Nov 05, 2013 at 08:27:49AM -0800, Ask Bj?rn Hansen wrote: > > Can you show a tcpdump of this? > > I got two other DDOS related reports in the last 24 hours (which is at least > 2 more than I recall getting in any given *month* or maybe even year in the > last 8!). > > One was a straight up udp reflection attack (management packets, I think) - > maybe similar to yours. > > The other was udp packets, but not port 123 in either end. It looked like it > was just a straight up "dump traffic that way" attack. That was multiple > gigabits though. > > > Ask > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
