Re: [ntp:questions] Possible new attack?
Evandro Menezes aevan...@gmail.com wrote: I've noticed a couple of NTP clients with the unusual avgint of 16s with hundreds of accesses to my NTP server in the pool. I added a restriction, in addition to the recommended ones already in place, to cope with the suspicious clients bumping the discard average threshold to 32s. Eventually, KoD kicked them out, but they returned again and again, but each time with a different source UDP port. I'd think that were it the case of an improperly configured, though kosher, NTP client, it would not haunt the server again after a KoD. I suspect that it's the case of zombie systems running some sort of DoS bot. If so, is this the behavior of the recent DRDoS attack or a new attack on NTP? Never send KoD on traffic that you don't like! It serves no useful purpose. Most badly behaving clients will ignore it, the worst ones will react to it with a quick re-try. It only drives up your outging traffic. Just drop the offending traffic, that saves you the effort of replying and makes it go away quicker. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Possible new attack?
On Mon, Oct 06, 2014 at 06:49:58PM -0700, Evandro Menezes wrote: On Monday, October 6, 2014 6:50:09 PM UTC-5, William Unruh wrote: Not only that but they are probably running ntp 3 systems, which does not have KOD. The suspects are purportedly NTPV4: remote address port local address count m ver rstr avgint lstint wnpgmb1154w-a-b 123 192.168.a.b 18 3 45f8 6 0 a-b.dyn.suddenlink.net 42324 192.168.a.b 1590 3 45f8 14 6 Out of curiousity, do you have a pcap file or tcpdump output you could share? I've been trying to fix widely used open source (S)NTP implementations to not poll frequently and I'm wondering if this is a client I know. -- Miroslav Lichvar ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Possible new attack?
Harlan Stenn wrote: William Unruh writes: Not only that but they are probably running ntp 3 systems, which does not have KOD. It would be really nice to be able to identify what these are - if somebody finds out please tell me. The OP could do e.g.: ntpq -cmrulist and look at the mrulist v column to see if they are 3 or 4 ...? -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Possible new attack?
On Oct 6, 2014, at 11:36 AM, Evandro Menezes aevan...@gmail.com wrote: I've noticed a couple of NTP clients with the unusual avgint of 16s with hundreds of accesses to my NTP server in the pool. I added a restriction, in addition to the recommended ones already in place, to cope with the suspicious clients bumping the discard average threshold to 32s. Eventually, KoD kicked them out, but they returned again and again, but each time with a different source UDP port. I'd think that were it the case of an improperly configured, though kosher, NTP client, it would not haunt the server again after a KoD. I suspect that it's the case of zombie systems running some sort of DoS bot. If so, is this the behavior of the recent DRDoS attack or a new attack on NTP? Unfortunately, many of the minimal NTP/SNTP clients baked into the firmware of phone switches, routers, and such are truly brain-dead and will not only ignore KoD replies, some of them will even start polling at 1-second intervals. You're better off firewalling off IPs which poll at abusive rates rather than hoping that ntpd's restrict/KoD stuff will help. You can try to contact the remote sites and ask them to fix their broken NTP clients, but expect lots of pushback. Regards, -- -Chuck ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Possible new attack?
On 2014-10-06, Charles Swiger cswi...@mac.com wrote: On Oct 6, 2014, at 11:36 AM, Evandro Menezes aevan...@gmail.com wrote: I've noticed a couple of NTP clients with the unusual avgint of 16s with hundreds of accesses to my NTP server in the pool. I added a restriction, in addition to the recommended ones already in place, to cope with the suspicious clients bumping the discard average threshold to 32s. Eventually, KoD kicked them out, but they returned again and again, but each time with a different source UDP port. I'd think that were it the case of an improperly configured, though kosher, NTP client, it would not haunt the server again after a KoD. I suspect that it's the case of zombie systems running some sort of DoS bot. If so, is this the behavior of the recent DRDoS attack or a new attack on NTP? Unfortunately, many of the minimal NTP/SNTP clients baked into the firmware of phone switches, routers, and such are truly brain-dead and will not only ignore KoD replies, some of them will even start polling at 1-second intervals. You're better off firewalling off IPs which poll at abusive rates rather than hoping that ntpd's restrict/KoD stuff will help. Not only that but they are probably running ntp 3 systems, which does not have KOD. You can try to contact the remote sites and ask them to fix their broken NTP clients, but expect lots of pushback. Or you could start sending back wildly inaccurate times. Regards, ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Possible new attack?
William Unruh writes: On 2014-10-06, Charles Swiger cswi...@mac.com wrote: On Oct 6, 2014, at 11:36 AM, Evandro Menezes aevan...@gmail.com wrote: I've noticed a couple of NTP clients with the unusual avgint of 16s with h undreds of accesses to my NTP server in the pool. I added a restriction, in addition to the recommended ones already in place, to cope with the suspiciou s clients bumping the discard average threshold to 32s. Eventually, KoD kick ed them out, but they returned again and again, but each time with a differen t source UDP port. I'd think that were it the case of an improperly configur ed, though kosher, NTP client, it would not haunt the server again after a Ko D. I suspect that it's the case of zombie systems running some sort of DoS b ot. If so, is this the behavior of the recent DRDoS attack or a new attack o n NTP? Unfortunately, many of the minimal NTP/SNTP clients baked into the firmware of phone switches, routers, and such are truly brain-dead and will not only ignore KoD replies, some of them will even start polling at 1-second interval s. You're better off firewalling off IPs which poll at abusive rates rather than hoping that ntpd's restrict/KoD stuff will help. Not only that but they are probably running ntp 3 systems, which does not have KOD. It would be really nice to be able to identify what these are - if somebody finds out please tell me. You can try to contact the remote sites and ask them to fix their broken NT P clients, but expect lots of pushback. Or you could start sending back wildly inaccurate times. KOD packets send back the T1 timestamp they get as the T2 and T3 timestamps, along with other information that should clearly indicate to any even partially conforming implementation that something is wrong. H ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Possible new attack?
On Monday, October 6, 2014 6:50:09 PM UTC-5, William Unruh wrote: Not only that but they are probably running ntp 3 systems, which does not have KOD. The suspects are purportedly NTPV4: remote address port local address count m ver rstr avgint lstint wnpgmb1154w-a-b 123 192.168.a.b 18 3 45f8 6 0 a-b.dyn.suddenlink.net 42324 192.168.a.b 1590 3 45f8 14 6 Note that the restriction bits indicate that these clients are being kissed goodbye, yet they remain. Again, they are not numerous on my server, just a pesky few. The bandwidth used by all NTP clients, the good and the bad alike, amounts to just about 1.5Kbps. But, if this is some sort of infection spreading out, it could affect notorious ST1 servers worse and more of them might be placed behind a wall serving only their internal site, as it's happened after to the recent DRDoS attack. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
