Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question : NTP DDoS attack

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vaskotoo
      last edited by

      Hey everyone.

      I have experienced such an attack few days ago and since then I am working pretty much only on that at the moment - How to prevent it in the future(I found some nice guides but still have a "better" idea, need to discuss it).
      So I have 3 general questions:

      1. Under the attack : I saw that no matter what I am blocking,rejecting the packets are send to that specific IP regardless of what is behind. Is it anyway possible to save the Bandwidth by somehow tell Pfsense to ignore that traffic, or that will continue filling up my Bandwidth between me and the ISP, because the ISP keep on "forwarding" the flood of UDP traffic? If I understand this correct, there is nothing I can do to stop already running attack, the ISP is the one that have to filter the traffic for me. Do I understand this correct ?

      2. More less most of the things I saw in the guides seems to be already configured but I think about something else as well. Does it worthy to have a bunch of Proxy servers that "hide" and filter the traffic so we make it a bit harder for the attacker to find our real IP start bombing it again, and if it attacks the proxy , we just switch to the next and they take care of the DDoS? -
      Shortly: Protect via Proxy's , is that worthy ?

      3. Once our real IP address is being compromised(known for the attackers) should I switch to another IP? Or shall I fight for it!

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        1/ Never run a public NTP server
        2/ Talk to your ISP.

        End of story.

        1 Reply Last reply Reply Quote 0
        • V Offline
          vaskotoo
          last edited by

          But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.

          1 Reply Last reply Reply Quote 0
          • M Offline
            mer
            last edited by

            @vaskotoo:

            But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.

            If you're not running a public NTP server, then did you just see packets destined for port 123 during the DDoS?  or was it some other port? 
            If the provider is forwarding or letting this go to your address, then as dok said, they need to stop it.  The best you could do is not let it into your network.

            1 Reply Last reply Reply Quote 0
            • V Offline
              vaskotoo
              last edited by

              The Source port was 123 , and the Destination port was 37433
              Here there are 2 screenshots from the Packet Capture, the first is before I block everything, and the second is after I block everything - meanwhile the interface was excluded from the Load Balancing group we use, so no one used it for traffic.
              I have also config my Laptop with the WAN config and place it instead of the router, I got exactly the same traffic in.

              before.PNG
              before.PNG_thumb
              after.PNG
              after.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                I run a public ntp server, but I agree with dok with this caveat..  Never run any public service, unless you fully understand what your doing ;)

                Looks like to me you were under an attack via ntp amplification.. I spoof your IP and tell a ntp server hey I want the list of boxes talking to you (monlist, large amount of data normally) send it too me..

                You just making it worse sending back, hey that port is not open via icmp..

                There is nothing you can do when under a bandwidth attack other than move IPs or contact your isp to block the traffic up stream.. If they have filled up your pipe there is nothing you can do with a firewall to not have your pipe filled..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • H Offline
                  Harvy66
                  last edited by

                  If someone is flooding you with mail, there is nothing you can do at your mailbox to stop the flood. You need to go to your post office and tell them to stop it. In the case of NTP, you're lucky. They could block all NTP responses from getting to you, but then your NTP will not work, at least your internet will.

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    vaskotoo
                    last edited by

                    Thank you for your reply, Harvy and johnpoz! Yes thats what was it a bunch of "zombies" flooding me with monlist request. I found the answer I was looking for Q1 .
                    And that leads to the second question, is it really worthy to hide my IP behind bunch of proxy's so they never know my real address and knock on my real door(atleast minimize the chance of it) . Because the only way around I found was to switch to another IP provided by the ISP, But I am afraid that they know the address and might do it again so I consider change + proxy or I am wrong here?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Who do you think you are hiding your IP from???  Your just sending everything to a proxy, that could be selling off that info for all you know.. Depends on how tight your tinfoil hat is ;)

                      Were you the actual target of the attack, or did some script kiddie somewhere make a typo in the ip he wanted to attack?

                      Do you run any specific service on your IP?  Or was this somebody you pissed off in a game or something?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        vaskotoo
                        last edited by

                        Thats the IP for all the users on our network ( 70+ ) And I dont know if some of them did something, but I experience the DDoS. On that IP all I got is one open port for the OpenVPN(random port) And week ago I have update the Pfsense to latest updates.
                        So far I see I can not really do much about preventing this for the future, its all in the hands of my ISP.
                        Is there really no suggestions how I can minimize the chance of being DDoS?

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Don't piss anyone off ;)  Don't run any service(s) that might offend people. You know like a website stating your opinions ;)  Or you business that someone doesn't like..  Or someone could make money by taking you offline for a while..

                          You can work with your isp on what they can put in place to mitigate ddos via active monitoring if your worried about it.  Les just say its going to require a budget!!

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • V Offline
                            vaskotoo
                            last edited by

                            Update :

                            The reason for the DDoS was well known for our ISP, there has been warnings for DDoS to all the banks and company's that deal with money transfer - Thats how we got affected.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.