Re: [Pool] New record abusive client.

Mon, 16 Dec 2013 07:31:23 -0800

My theory is that since DNS reflection is so well known, it's very commonly filtered. NTP reflection hasn't gotten the same level of press, so it's a more unknown attack.
We've seen reflection attacks from basically everything that can be reflected, so people using NTP isn't exactly a surprise. 

On 12/16/2013 10:27 AM, AlbyVA wrote:




 You'd think that an NTP reflection army would be somewhat lackluster 
vs. using a handful of the 28,000,000/million

Open DNS Resolvers -- http://www.openresolverproject.org
-Alby





On Mon, Dec 16, 2013 at 10:20 AM, Brian Rak <[email protected] 
<mailto:[email protected]>> wrote:


    It's probably a DDOS reflection attack, rather then an abusive
    client.  We've started to see them more often via NTP (in addition
    to SNMP, DNS, and chargen).

    On 12/16/2013 10:07 AM, Matt Wagner wrote:

    On Mon, Dec 16, 2013 at 2:14 AM, Michael Rathbun
    <[email protected] <mailto:[email protected]>> wrote:
    >
    > 64.61.140.162 <http://64.61.140.162>:  total:  11328    avgint:  1
    >
    > hmm...

    I used to get a bunch of these. I'm not quite sure what causes
    it, but it's annoying.
    Some might have been a bunch of people using NAT, but in other
    cases it looked
    like it was a single client querying me once a second.

    I used to pretty aggressively seek these things out and block
    them in iptables, but
    I eventually concluded that it was pointless. Since I had ntpd
    set up with the 'kod'
    and 'limited' keywords, I was really just moving where the
    requests got dropped, but
    also preventing ntpd from sending an occasional KoD. (Not that
    the client seemed
    to pay attention to them.)

    I'm still pretty curious what causes a client to do this, though.
    I can't see an obvious
    misconfiguration that would do this.


    -- 
    Matt



    _______________________________________________
    pool mailing list
    [email protected]  <mailto:[email protected]>
    http://lists.ntp.org/listinfo/pool



    _______________________________________________
    pool mailing list
    [email protected] <mailto:[email protected]>
    http://lists.ntp.org/listinfo/pool





_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool





















					Reply via email to