'[ntp:bugs] [Bug 2180] DOS-like incident this weekend, may be bug related?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntp-bugs
Subject:    [ntp:bugs] [Bug 2180] DOS-like incident this weekend, may be bug related?
From:       bugzilla-daemon () ntp ! org
Date:       2012-05-15 1:27:00
Message-ID: bug-2180-35-FJFxLZK2SY () http ! bugs ! ntp ! org/
[Download RAW message or body]

https://bugs.ntp.org/show_bug.cgi?id=2180

Dave Hart <hart@ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hart@ntp.org

--- Comment #1 from Dave Hart <hart@ntp.org> 2012-05-15 01:27:00 UTC ---
I think I understand what was happening.  First of all, believe it or not your
ntpd was a tool used by abusers to attack the IP address in the Philippines. 
Worse, as you saw, it served as a powerful tool because they were able to send
a stream of tiny requests with forged source IPs (probably from many 'botted
hosts) each of which results in a spew of 500-ish byte responses.  This is
amplification plus reflection.

The tiny requests involved are well-formed just as if emitted by:

ntpdc -c monlist <hostname/IP>

The responses can be decoded by simply issuing that command against your own
server, where you'll see a history list of recent NTP clients.

Unfortunately, the best fix for this problem isn't available in a 4.2.6 release
-- but only in ntp-dev 4.2.7, where support for monlist has been removed from
ntpd in favor of a new "ntpq -c mrulist" which ensures the request is really
coming from the IP address it claims to be, by requiring the request to be
accompanied by a previously-obtained temporary proof the requester can receive
traffic sent to the address.

You can prevent your 4.2.6 ntpd from being an amplifying reflector vir mrulist
by a workaround in ntp.conf:

restrict default noquery [...]
restrict localhost

That will prohibit ntpq and ntpdc query processing by ntpd for all but
localhost.  You could add another line for each local subnet to exempt it from
the default restrictions similarly to localhost above:

restrict 192.168.1.0 mask 255.255.255.0

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
bugs mailing list
bugs@lists.ntp.org
http://lists.ntp.org/listinfo/bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic