[Discuss] NTP Gone Crazy?
Tom Metro
tmetro+blu at gmail.com
Mon Jan 13 02:57:04 EST 2014
Kent Borg wrote:
> David N. Blank-Edelman wrote:
>> Perhaps this?
>> http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
>
> I'll bet that is it. I'll keep NTP turned off for the moment until I
> can run a newer version.
This attack sounds like it requires an exposed NTP server[1]. Is yours
behind a firewall?
If not, why is it exposed? Are you a volunteer in
http://www.pool.ntp.org/en/ ?
-Tom
1. Traversing a simple NAT firewall is not too hard, when you are
talking about a stateless UDP protocol for services that send outbound
packets quite regularly, and thus it keeps the NAT port mappings active,
but still this is not trivial. Aside from mitigating this with the rate
limiting Rich suggests, I'd expect a decent NAT implementation "out of
the box" would thwart this by rejecting packets coming from IPs others
that where the outbound packets were sent. Even if you spoofed those
IPs, unless you aim to DDoS other NTP servers, that would seem to make
this technique useless.
--
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/
More information about the Discuss
mailing list