Forum Index | Search | Register (New User) | Login (Existing User) | Who's Online | FAQ | Main Site

Technical Discussion
  >> Security Related Issues Previous thread View all threads Next thread


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | (show all)   Print Thread
Standard User billford
(elder) Sat 15-Feb-14 16:45:14
Print Post

Re: NTP DDoS attacks


[re: deleted] [link to this post] 		 
I'm not complacent about it, but everything I've seen so far relates to IPv4 and, as I said, port 123 is blocked by the router on that protocol.

For IPv6 I suspect the risk is extremely low, certainly lower than the risk of what I could do by messing with things I don't understand. If someone can come up with a step-by-step guide how to block incoming IPv6 ntp queries on OS X then I'll think about it.

Also, unless it was a typo, you said earlier that it was costing you 3MB/hour- frankly, I doubt if I'd even notice that. I use nearly 20x that just streaming Radio 3 crazy

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User deleted
(deleted) Sat 15-Feb-14 17:43:15
Print Post

Re: NTP DDoS attacks


[re: billford] [link to this post] 		 
The 3MB an hour was AFTER I blocked the attack. The attack is relentless.

Here are someT logs:

During attack before I got home to fix it:
Text
1
23
45
67
89
1011
1213
1415
1617
18
04:31:10        145.6 MB        4.69 GB
04:42:04        153.54 MB       4.84 GB04:51:43        159.94 MB       4.99 GB
05:02:05        170.82 MB       5.16 GB05:09:19        205.57 MB       5.36 GB
05:21:16        210.54 MB       5.57 GB05:29:15        159.34 MB       5.72 GB
05:42:09        142.66 MB       5.86 GB05:51:28        192.65 MB       6.05 GB
06:01:38        203.06 MB       6.25 GB06:11:51        200.13 MB       6.44 GB
06:20:55        206.91 MB       6.65 GB06:31:38        177.75 MB       6.82 GB
06:38:35        172.82 MB       6.99 GB06:52:16        131.23 MB       7.12 GB
07:01:38        120.75 MB       7.23 GB07:11:27        156.79 MB       7.39 GB
07:21:50        133.41 MB       7.52 GB


Logs after I locked it down, but still getting hit:

Text
1
23
45
67
89
1011
1213
1415
1617
1819

03:36:16        679.19 KB       19.5 MB
03:46:26        632.98 KB       20.12 MB03:57:02        619.59 KB       20.72 MB
04:06:11        665.82 KB       21.37 MB04:16:33        640.04 KB       22 MB
04:26:04        803.64 KB       22.78 MB04:36:48        701.18 KB       23.47 MB
04:46:42        710.06 KB       24.16 MB04:56:10        795.03 KB       24.94 MB
05:06:25        750.56 KB       25.67 MB05:15:55        678.12 KB       26.33 MB
05:26:26        564.38 KB       26.88 MB05:36:05        403.87 KB       27.28 MB
05:45:53        528.09 KB       27.79 MB05:56:13        632.77 KB       28.41 MB
06:06:37        632.51 KB       29.03 MB06:13:57        620.63 KB       29.63 MB
06:25:45        707.88 KB       30.33 MB06:36:01        798.03 KB       31.11 MB


Seriously, it is worth looking into keeping it secure.

AND as I stated, once you get hit, no matter what you do, the ATTACK requests will not STOP!

Nick
Standard User Pipexer
(eat-sleep-adslguide) Sat 15-Feb-14 17:56:09
Print Post

Re: NTP DDoS attacks


[re: deleted] [link to this post] 		 
In reply to a post by Lethe:
AND as I stated, once you get hit, no matter what you do, the ATTACK requests will not STOP!

There is a strong chance they will stop after a few days when people get bored..

Zen 8000 Pro


Register (or login) on our website and you will not see this ad.

Standard User Pipexer
(eat-sleep-adslguide) Sat 15-Feb-14 17:58:19
Print Post

Re: NTP DDoS attacks


[re: billford] [link to this post] 		 
In reply to a post by billford:
So the OS X firewall appears to pass incoming IPv6 ntpd requests, not sure it's worth worrying about?

For now, there is a good chance the attack is IPv4 based so you probably don't need to interrupt your weekend plans to get this to fixed, but it might be worth investigation at some point.

Zen 8000 Pro
Standard User deleted
(deleted) Sat 15-Feb-14 18:08:49
Print Post

Re: NTP DDoS attacks


[re: Pipexer] [link to this post] 		 
In reply to a post by Pipexer:
In reply to a post by Lethe:
AND as I stated, once you get hit, no matter what you do, the ATTACK requests will not STOP!

There is a strong chance they will stop after a few days when people get bored..


Unfortunately, they are not people - but bots, spoofed IP's and other mechanisms. I turned my modem off for 12 hours, and as soon as I plugged it in, off they go again. No matter what I did, non-stop incessant pounding on port 123.

My last post here - it was just a heads up to what will happen. If nobody agrees with me, then fair enough - I just hope nobody else gets attacked due to an open NTP server even if you *think* you will not.

Nick
Pages in this thread: 1 | 2 | [3] | (show all)   Print Thread

Previous thread View all threads Next thread
Jump to