Quote:
Originally Posted by tomlaino
I am getting slammed by an NTP amplification. I have tried adding noquery to the restrict default line in ntp.conf but no luck. So I added a few lines to IPtables and here is what they look like
# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set --name NTPTRAFFIC --rsource
# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update --seconds 60 --hitcount 7 --name NTPTRAFFIC --rsource -j DROP
But that is still not working. Does anyone have any ideas on what I can do to put an end to this? I am running CentOS 6.4
|
I think you're confusing things.
0) if you think you're a
participant in a NTP DDoS attack then you should first ask yourself why you didn't respond earlier (same goes for systems maintenance as your OS is lagging one Update), ask yourself if you should provide NTP publicly (most do not) and then restrict access to your NTP service using your router, firewall rule set and ntp.conf
Code:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
(see
https://www.us-cert.gov/ncas/alerts/TA14-013A) and BTW notice it's "AND", not "or".
1) if you think you're a
victim then, as goes for all types of DDoS attacks, know
there's only so much you can achieve as an end point. The source address (and port) are or can be faked so unless you're actually seeing ingress traffic
to your NTP port UDP/123 these rules make no sense. Next to applying the right firewall rules
based on traffic you actually see, block access at the router (if any) and ask your provider to take measures. It's way easier (filter and resource-wise) for them to block traffic at their edge routers.
If unsure post an excerpt from actual traffic you see.
