DDos attack on UDP port 123

johnpoz

so 123, or ntp?  Are you running a ntp server that you did not update the config on?  Have you been living in a cave - there has been huge issues with ntp attacks.  Prob using you as source for ntp attack.  Can you post some of these queries on a sniff?  You sure you just didn't list your IP in pool.ntp.org and set your bandwidth too high.  If you set your bandwidth in for a server in ntp org to gig, your going to get a lot of queries ;)

I have my serve in pool.ntp but I set my bandwidth to 384k, and get about 2 queries a second

SirIrish

Yes ntp.
No I am not running an ntp server and the ntp service is not running on my pfsense.
It is an awesome cave. I know about the issues with the ntp attacks but I don't know how to stop them.
Like I said my PFsense is dropping all the packets.

Anything else?

johnpoz

Well if didn't open the port, and not listening on ntp then yes its either attack against you or mistake.  If your not answering these ntp queries then if was pool you would drop off the list because your server has to maintain a score of 10 to be listed.

Can you post some of these packets..  So for example here is sniff of normal ntp query and my server answering..  Lets see some of these 12k pps and what is in them - is a actual valid query or someone running the ntp attack against your machine?

Your going to need to change your IP address, or contact your ISP and have them block all 123 to you..  If it really a ddos, there is not much you can do at your end..  You need to move (change ip) or get your isp to block it.

Are the packets all coming from same IP, same netblock or all over the board..  See in my below traces for ntp, normally running a ntp server will get you IPs from all over the place.

SirIrish

When they are coming in they are only coming in from one ip address. Since last Friday there have been about 5 or 6 different ip's.
I have been on to my isp and asked them to look into it and to block all ntp requests but they said they couldn't.
After going back and forth with them for a week asking them to do something their top tier tech support's answer was to call the cops.
Below is a screen shot of the latest ip.
I was thinking I would have to change my ip's but if this is not random and someone is directing it at me then they will change with me.

kpa

You're just unlucky to be singled out as a target for an NTP amplification DDoS even if you don't have an NTP service open. It can happen if your IP address looks otherwise "interesting" for such attacks because you have a public web site (for example) open on the IP address.

johnpoz

That sniff looks very odd, the source port is 80 (http)..  So yeah really look like amplification attack since your server would sent traffic back to you would assume a http server on that IP.  Could you actually grab one of the packets and see what is in it.. If they are asking you for listing of your clients, which is one of the known attack vectors.

That network shows as

inetnum:        37.221.163.0 - 37.221.163.31
netname:        JavaPipeLLC
descr:          DDoS protected services EUROPE
country:        RO

You could contact them about traffic that looks to be coming from their network - which in reality is most likely not, they are most likely the ones under attack.

person:        Iosif Rapan
address:        Strada Rozelor, Nr.11, Bl. G3, Ap. 15, Otelu Rosu
phone:          +1.8009181890
nic-hdl:        IR1497-RIPE
mnt-by:        VOXILITY-MNT
source:        RIPE # Filtered
abuse-mailbox:  abuse-admin@javapipe.com

Seems kind of pointless to try and use you as amplification if your not answering their queries.  I would change your IP, since it doesn't seem your the one under attack but a pawn in their game of attacking that source IP an port.

SirIrish

I have contacted the last IP address owner and they are under attack.
It is as you say they are trying to use our ip for amplification. It is annoying though as it is not working for them and yet they still use my ip.
There is a new IP hitting me now  >:(  below is a packet.

johnpoz

Yup so they are trying to use to attack this guy

49.103.176.in-addr.arpa. 10800  IN      SOA    ns1.xserver.ua. vitaliy.xserver.

inetnum:        176.103.48.0 - 176.103.63.255
netname:        XServer-IP-Network-6
descr:          PE Ivanov Vitaliy Sergeevich
country:        UA

Yup as you highlighted they are requesting your monitor list..  Which would be a LOT Of data, for their one small query that you would send in that direction.

I would really just change your IP dude..  Should be as simple as changing your mac and renew your dhcp lease.

SirIrish

We have 30 static ip's so it's a little more involved than that.
I'll change them on Monday as I'm not in the mood for all the records that will have to be changed to accommodated them.
Right now I need a beer.

Thanks for all the info. Have a great weekend!!

johnpoz

So they are hitting all 30 of your IPs?  Or just 1?