[Nottingham] NTP Amplification DDoS Attack... Continues...
Martin
martin at ml1.co.uk
Thu Feb 20 16:00:13 UTC 2014
ps:
An interesting aspect for blocking the spoofed NTP UDP...
I suspect that a certain number of single unique addresses I see are
probe requests that go back to a monitoring IP address...
Early on, I blocked just the ports being abused. Surely enough, a few
hours later there would be a fresh onslaught using a new favoured one or
two source ports...
The blocking of anything UDP using the source ports:
1-1023,xbox,8080,8088
is staying effective thus far... Until...
How long before I'm forced to abandon offering the NTP service?
What of those time servers set up to be freely used by everyone else for
NTP that many rely upon for time sychronisation?
Such is the negative aspects of vandalism... :-(
Cheers,
Martin
On 20/02/14 15:42, Martin wrote:
> Folks,
>
> I don't usually post about security alerts because with certain
> vulnerable systems, there are so many alerts, continuously...
>
> However, this one abusing NTP is a little more fundamental and has
> caught my attention since before Christmas... So... For my part I have
> just the one server with Network Time Protocol available to all, and
> that has been fine for many years now until recently...
>
> See:
>
> Don't be a DDoS dummy: Patch your NTP servers, plead infosec bods
> http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project/
>
> Worst DDoS attack of all time hits French site
> http://www.zdnet.com/worst-ddos-attack-of-all-time-hits-french-site-7000026330/
>
> Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
>
>
> Unfortunately, is this where another old early-days internet protocol
> becomes abused into oblivion?
>
> I'm seeing mainly just four IP addresses being targeted and the UDP
> requests are also spoofed using popularly used source ports such as http
> and mail. I've cut down almost all by simply dropping anything
> requesting NTP with source ports of 1-1023,xbox,8080,8088. (The rest are
> infrequent and likely genuine requests.)
>
> Even so, I'm still getting many thousands of repeat attempts each day
> even though the dumb zombies get nothing in return...
>
> Hey ho! A few more server cycles get wasted in the firewall and logging!
>
>
> Must all new protocols be devised so that there is no opportunity for a
> response size that is greater than the request data packet size? That
> would be one fix but unfortunately wasteful for bandwidth :-(
>
> Cheers,
> Martin
--
- ------------------ - ----------------------------------------
- Martin Lomas - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from hkp://subkeys.pgp.net or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
More information about the Nottingham
mailing list