[Nottingham] NTP Amplification DDoS Attack... Continues...

Martin martin at ml1.co.uk
Thu Mar 20 16:06:28 UTC 2014 

On 20/02/14 15:59, Martin wrote:
> ps:
> 
> An interesting aspect for blocking the spoofed NTP UDP...
> 
> I suspect that a certain number of single unique addresses I see are
> probe requests that go back to a monitoring IP address...
> 
> Early on, I blocked just the ports being abused. Surely enough, a few
> hours later there would be a fresh onslaught using a new favoured one or
> two source ports...
> 
> The blocking of anything UDP using the source ports:
> 
> 1-1023,xbox,8080,8088
> 
> is staying effective thus far... Until...
> 
> 
> How long before I'm forced to abandon offering the NTP service?
> 
> What of those time servers set up to be freely used by everyone else for
> NTP that many rely upon for time sychronisation?
> 
> 
> Such is the negative aspects of vandalism... :-(

And this continues...


I've had to tune the blocking further to block any requests to/from any
'silly' port numbers.

And additionally, anything requesting NTP too often is dropped also.


For what I see, I was getting about a million requests a week instead of
a few hundred. Even though various target IPs are simply dropped, I'm
still seeing about 200k requests a week even though I'm in effect acting
as a black hole for them...

I've not yet had to move to instead use whitelisting... So far...

So, no noticeable impact other than wasting some of my time and
increasing the size of the iptables.


Curiously, the BBC have picked up on this again:

Hack attacks battled by net's timekeepers
http://www.bbc.co.uk/news/technology-26662051


Paid-for anti-competitiveness? Grudge attacks?

Or really just adolescent mischief?!

Is this where the internet is growing old and too accessible?


Many years ago the 'internet' was whatever it was you had listed in your
own local hosts file. Access was so 'elite' (expensive) that there was
almost a Gentleman's Club of users where servers were openly online that
offered anonymous shell access as courtesy to fellow netizens.

Such as "rms" grew up in that era.

And now?...


Cheers,
Martin


-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list