[outages] Internap Being DDoS'd
Jeremy Chadwick
jdc at koitsu.org
Wed Feb 12 13:53:35 EST 2014
I see some attributes in the "UNIX ntpd" example there which are
missing. I would suggest people follow the defaults provided by some of
the OSS distros (ex. FreeBSD 9):
http://svnweb.freebsd.org/base/stable/9/etc/ntp.conf?revision=259974&view=markup
Specifically these lines for starters:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
The last 3 lines are effectively "allow" statements. You'll
need to modify your ntp.conf accordingly; e.g. if the system in
question is used as an NTP server for other machines on 192.168.1.0/24,
you'd need something like:
restrict 192.168.1.0 mask 255.255.255.0
But I recommend folks read (not skim -- it actually reads quite easily,
just the formatting isn't easily skimmable) the following page, as it
goes over the difference between "restrict default {bunch of modifiers}"
vs. "restrict default ignore":
http://support.ntp.org/bin/view/Support/AccessRestrictions
It's remarkable how neglected NTP is as a service. :/
--
| Jeremy Chadwick jdc at koitsu.org |
| UNIX Systems Administrator http://jdc.koitsu.org/ |
| Making life hard for others since 1977. PGP 4BD6C0CB |
On Wed, Feb 12, 2014 at 11:37:00AM -0700, John wrote:
> On 02/12/2014 11:33 AM, Bryan Inks wrote:
> >
> >Good info, I'll definitely be looking into this.
> >
> >But, I'm not being directly attacked. Internap is one of my upstreams, and
> >they are the one that reported that they were being attacked when we
> >called to let them know about the problem.
> >
> >*From:*Bill Wichers [mailto:billw at waveform.net]
> >*Sent:* Wednesday, February 12, 2014 10:27 AM
> >*To:* Jared Mauch; Bryan Inks
> >*Cc:* outages at outages.org
> >*Subject:* RE: [outages] Internap Being DDoS'd
> >
> >To second Jared on this one, we've seen a HUGE increase in NTP-based
> >attacks over the past several weeks with our colo customers. It's very
> >efficient too -- even a pretty low end machine can saturate a 100M link.
> >It reminds me of SQL slammer...
> >
> >If you haven't yet checked that you're safe from this you should. See:
> >
> >https://www.us-cert.gov/ncas/alerts/TA14-013A
> >
> >and
> >
> >https://www.us-cert.gov/ncas/alerts/TA14-017A
> >
> >for more info...
> >
>
> And some info on how to mitigate it so you are not a reflector.
>
> http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
>
> --John
>
> > -Bill
> >
> >*From:*Outages [mailto:outages-bounces at outages.org] *On Behalf Of *Jared
> >Mauch
> >*Sent:* Wednesday, February 12, 2014 1:21 PM
> >*To:* Bryan Inks
> >*Cc:* outages at outages.org <mailto:outages at outages.org>
> >*Subject:* Re: [outages] Internap Being DDoS'd
> >
> >Close your NTP amplifiers and prevent the spoofing.. Will solve this one.
> >
> >Openntpproject.org <http://Openntpproject.org> can help you.
> >
> >Jared Mauch
> >
> >
> >On Feb 12, 2014, at 12:45 PM, "Bryan Inks" <Binks at keyinfo.com
> ><mailto:Binks at keyinfo.com>> wrote:
> >
> > Just got confirmation from Internap NOC that they are being
> > attacked again.
> >
> > Causing quite a bit of chaos for my network in SoCal.
> >
> > I'm having to route over to Level3 to minimize the issue.
> >
> > _______________________________________________
> > Outages mailing list
> > Outages at outages.org <mailto:Outages at outages.org>
> > https://puck.nether.net/mailman/listinfo/outages
> >
> >
> >
> >_______________________________________________
> >Outages mailing list
> >Outages at outages.org
> >https://puck.nether.net/mailman/listinfo/outages
>
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
More information about the Outages
mailing list