On 2/10/2014 9:29 AM, Jim Reid wrote:
On 10 Feb 2014, at 14:13, Miroslav Lichvar <[email protected]> wrote:
Were the servers configured with restrict noquery?
Yes. They've configured that way for years:
% grep noquery /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery limited
restrict -6 default kod nomodify notrap nopeer noquery limited
That's odd. With noquery the server should respond only to normal
client requests and with limited+kod the outgoing packet rate should
be much smaller and not useful for an amplification/reflection attack.
Indeed. However my servers were (D)DoS'ed, probably in reflection attacks.
If you were the target of the DDOS, and not an amplification vector, no
amount of ntpd changes will help. I'm unclear of which you were.
The point I was making was the above config file options didn't really help
against those attacks on my NTP servers. So presumably if a bad guy's got a big
enough botnet or using millions of fake source addresses ntpd's rate-limiting
isn't up to the job => applying defensive measures in the upstream routers.
Was this machine hosting other services? I find it odd someone would
choose to DDOS your NTP server. I suspect that another service on the
machine as a target, and the fact that it used port 123 was just because
it was using other hosts as reflectors.
Perhaps it's time to think about switching public NTP servers to TCP transport
and only use UDP on the LAN?
That's unlikely to be of any help in the near future. A lot of these
exploited servers are embedded devices (IPMI controllers, routers,
etc). Many of the ones that I've seen are still running 4.2.4 or below,
so no amount of changing the protocol now is going to help.
I have had good luck with sending out abuse complaints to the attacking
IPs. Most people are willing to help fix their server's configurations.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
