'Re: [time] NTP service attacked'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       timekeepers
Subject:    Re: [time] NTP service attacked
From:       Adrian von Bidder <avbidder () fortytwo ! ch>
Date:       2009-07-25 9:47:13
Message-ID: 200907251147.18906 () fortytwo ! ch
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Friday 24 July 2009 18.28:39 Luis Fernando Llana Díaz wrote:

> A soon as the server is in the pool (the score is
> over 5.0) I am flooded with too many requests (more than 5000 in 1
> second) that make the network fail.

5k packets per second == 4Mbps, right?

Is this enough to make your line fail?

> I do not think it is normal, how can
> I protect myself?

Search the list archives, some scripts have been posted IIRC.

First step would be to identify the offenders.  If you don't have any 
monitoring in place, have a look at the output of "ntpdc -n -c monlist", it 
can give a first hint.

Then experiences vary quite a bit.

 * sometimes, a client that polls too often goes away if you give it a 'kod' 
packet. (you configure this via ntp configuration)
 * sometimes a client goes away if you just don't respond to its packets 
(via ntp configuration or via firewall)
 * sometimes if you reject (icmp reject via firewall)

But OTOH there have been reports of such clients going berserk and floodig 
if they don't get an ntp response.  Not much you can do :-(

You obviously can try to report abuse to the ISP of the offending IP 
address.  But usually abuse teams don't know what you're talking about or 
are just too busy or don't think that '1 packet per second' is serious 
enough abuse.  So: with most big ISPs the success rate has been marginal.  
(If you're up for a challenge, identify a few IP addresses polling you from 
Turk Telecom and try to get that problem solved, though I haven't heard 
about it on the list for some time... ;-)

(Oh, and: it may not be the bandwidth that's killing you.  If you're behind 
a cheap NAT router, it may just be that the NAT port forwarding table is 
filling up and is blocking all new connections.  Some routers have 
confguration options on how they handle this, but mostly you'll just have to 
replace the router.)

cheers
-- vbi


-- 
featured link: Debian Bookmark Collection - http://bookmarks.debian.net/


["signature.asc" (application/pgp-signature)]

_______________________________________________
timekeepers mailing list
timekeepers@fortytwo.ch
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic