[Nottingham] NTP Amplification DDoS Attack... Continues...

[Martin]

Folks,

I don't usually post about security alerts because with certain
vulnerable systems, there are so many alerts, continuously...

However, this one abusing NTP is a little more fundamental and has
caught my attention since before Christmas... So... For my part I have
just the one server with Network Time Protocol available to all, and
that has been fine for many years now until recently...

See:

Don't be a DDoS dummy: Patch your NTP servers, plead infosec bods
http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project/

Worst DDoS attack of all time hits French site
http://www.zdnet.com/worst-ddos-attack-of-all-time-hits-french-site-7000026330/

Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack


Unfortunately, is this where another old early-days internet protocol
becomes abused into oblivion?

I'm seeing mainly just four IP addresses being targeted and the UDP
requests are also spoofed using popularly used source ports such as http
and mail. I've cut down almost all by simply dropping anything
requesting NTP with source ports of 1-1023,xbox,8080,8088. (The rest are
infrequent and likely genuine requests.)

Even so, I'm still getting many thousands of repeat attempts each day
even though the dumb zombies get nothing in return...

Hey ho! A few more server cycles get wasted in the firewall and logging!


Must all new protocols be devised so that there is no opportunity for a
response size that is greater than the request data packet size? That
would be one fix but unfortunately wasteful for bandwidth :-(

Cheers,
Martin


-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg