No, I did not get a tcpdump. My hosting provider notified me of the abuse but they already had it stopped. I did get the ip address of the receiving end, and it was my ip address, port 123 to server x port 80, udp. I'm going to add a rate limit to iptables, and locking it down to port 123 and 1024-65535. I wished it was as simple as to only allow udp/123 source and destination, but I get so many people behind natted connections, that wouldn't work. I have been running a public ntp for several years now, and this is the only issue I have had. I do appreciate all the help on this topic. Thanks again.
Time Zone is PST (GMT-8:00) Date_flow_start Duration Proto Src_IP_Addr:Port Dst_IP_Addr:Port Packets Bytes Flows 2013-11-03 22:38:23.508 60.150 17 67.#.#.#:123 -> 162.#.#.#:80 19520 9135360 1 On Nov 4, 2013, at 19:54, Justin<[email protected]> wrote:
I have two machines that participate in the ntp pool project, and I received an abuse email today. Basically, my server was DDOS someone else, ntp reflection attack.
Hi Justin, Can you show a tcpdump of this? I got two other DDOS related reports in the last 24 hours (which is at least 2 more than I recall getting in any given*month* or maybe even year in the last 8!). One was a straight up udp reflection attack (management packets, I think) - maybe similar to yours. The other was udp packets, but not port 123 in either end. It looked like it was just a straight up "dump traffic that way" attack. That was multiple gigabits though. Ask
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
