LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stopping NTP Amplification (https://www.linuxquestions.org/questions/linux-security-4/stopping-ntp-amplification-4175495578/)

tomlaino 02-19-2014 10:09 PM
Stopping NTP Amplification
 
I am getting slammed by an NTP amplification. I have tried adding noquery to the restrict default line in ntp.conf but no luck. So I added a few lines to IPtables and here is what they look like

# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set --name NTPTRAFFIC --rsource
# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update --seconds 60 --hitcount 7 --name NTPTRAFFIC --rsource -j DROP

But that is still not working. Does anyone have any ideas on what I can do to put an end to this? I am running CentOS 6.4

unSpawn 02-20-2014 01:24 AM
Quote:
Originally Posted by tomlaino (Post 5121320)
I am getting slammed by an NTP amplification. I have tried adding noquery to the restrict default line in ntp.conf but no luck. So I added a few lines to IPtables and here is what they look like

# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set --name NTPTRAFFIC --rsource
# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update --seconds 60 --hitcount 7 --name NTPTRAFFIC --rsource -j DROP

But that is still not working. Does anyone have any ideas on what I can do to put an end to this? I am running CentOS 6.4
I think you're confusing things.
0) if you think you're a participant in a NTP DDoS attack then you should first ask yourself why you didn't respond earlier (same goes for systems maintenance as your OS is lagging one Update), ask yourself if you should provide NTP publicly (most do not) and then restrict access to your NTP service using your router, firewall rule set and ntp.conf
Code:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
(see https://www.us-cert.gov/ncas/alerts/TA14-013A) and BTW notice it's "AND", not "or".
1) if you think you're a victim then, as goes for all types of DDoS attacks, know there's only so much you can achieve as an end point. The source address (and port) are or can be faked so unless you're actually seeing ingress traffic to your NTP port UDP/123 these rules make no sense. Next to applying the right firewall rules based on traffic you actually see, block access at the router (if any) and ask your provider to take measures. It's way easier (filter and resource-wise) for them to block traffic at their edge routers.

If unsure post an excerpt from actual traffic you see.

tomlaino 02-20-2014 07:10 AM
1 Attachment(s)
Here is the snapshot from my pcap. I have entered the lines into ntp.conf and still no luck.

unSpawn 02-20-2014 03:18 PM
AFAIK #0 applies here. Get on it.

gotfw 02-20-2014 05:27 PM
In case not clear, if possible, block this at your 1) border/gateway router, AND 2) the external IP address you're nat'ing that 192.x address to. Howsomever, _if_ you're dealing with a low end router provided for free by your ISP, it may not have the horsepower to keep up with the deluge, so in that case just block at #2.

Peace :cool:

tomlaino 03-03-2014 03:53 PM
After entering the lines into the ntp.conf the server required a restart and after that the problems ceased. Thank you for all the help


All times are GMT -5. The time now is 02:05 PM.