Question : NTP DDoS attack
-
Hey everyone.
I have experienced such an attack few days ago and since then I am working pretty much only on that at the moment - How to prevent it in the future(I found some nice guides but still have a "better" idea, need to discuss it).
So I have 3 general questions:1. Under the attack : I saw that no matter what I am blocking,rejecting the packets are send to that specific IP regardless of what is behind. Is it anyway possible to save the Bandwidth by somehow tell Pfsense to ignore that traffic, or that will continue filling up my Bandwidth between me and the ISP, because the ISP keep on "forwarding" the flood of UDP traffic? If I understand this correct, there is nothing I can do to stop already running attack, the ISP is the one that have to filter the traffic for me. Do I understand this correct ?
2. More less most of the things I saw in the guides seems to be already configured but I think about something else as well. Does it worthy to have a bunch of Proxy servers that "hide" and filter the traffic so we make it a bit harder for the attacker to find our real IP start bombing it again, and if it attacks the proxy , we just switch to the next and they take care of the DDoS? -
Shortly: Protect via Proxy's , is that worthy ?3. Once our real IP address is being compromised(known for the attackers) should I switch to another IP? Or shall I fight for it!
-
1/ Never run a public NTP server
2/ Talk to your ISP.End of story.
-
But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.
-
But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.
If you're not running a public NTP server, then did you just see packets destined for port 123 during the DDoS? or was it some other port?
If the provider is forwarding or letting this go to your address, then as dok said, they need to stop it. The best you could do is not let it into your network. -
The Source port was 123 , and the Destination port was 37433
Here there are 2 screenshots from the Packet Capture, the first is before I block everything, and the second is after I block everything - meanwhile the interface was excluded from the Load Balancing group we use, so no one used it for traffic.
I have also config my Laptop with the WAN config and place it instead of the router, I got exactly the same traffic in.
-
I run a public ntp server, but I agree with dok with this caveat.. Never run any public service, unless you fully understand what your doing ;)
Looks like to me you were under an attack via ntp amplification.. I spoof your IP and tell a ntp server hey I want the list of boxes talking to you (monlist, large amount of data normally) send it too me..
You just making it worse sending back, hey that port is not open via icmp..
There is nothing you can do when under a bandwidth attack other than move IPs or contact your isp to block the traffic up stream.. If they have filled up your pipe there is nothing you can do with a firewall to not have your pipe filled..
-
If someone is flooding you with mail, there is nothing you can do at your mailbox to stop the flood. You need to go to your post office and tell them to stop it. In the case of NTP, you're lucky. They could block all NTP responses from getting to you, but then your NTP will not work, at least your internet will.
-
Thank you for your reply, Harvy and johnpoz! Yes thats what was it a bunch of "zombies" flooding me with monlist request. I found the answer I was looking for Q1 .
And that leads to the second question, is it really worthy to hide my IP behind bunch of proxy's so they never know my real address and knock on my real door(atleast minimize the chance of it) . Because the only way around I found was to switch to another IP provided by the ISP, But I am afraid that they know the address and might do it again so I consider change + proxy or I am wrong here? -
Who do you think you are hiding your IP from??? Your just sending everything to a proxy, that could be selling off that info for all you know.. Depends on how tight your tinfoil hat is ;)
Were you the actual target of the attack, or did some script kiddie somewhere make a typo in the ip he wanted to attack?
Do you run any specific service on your IP? Or was this somebody you pissed off in a game or something?
-
Thats the IP for all the users on our network ( 70+ ) And I dont know if some of them did something, but I experience the DDoS. On that IP all I got is one open port for the OpenVPN(random port) And week ago I have update the Pfsense to latest updates.
So far I see I can not really do much about preventing this for the future, its all in the hands of my ISP.
Is there really no suggestions how I can minimize the chance of being DDoS? -
Don't piss anyone off ;) Don't run any service(s) that might offend people. You know like a website stating your opinions ;) Or you business that someone doesn't like.. Or someone could make money by taking you offline for a while..
You can work with your isp on what they can put in place to mitigate ddos via active monitoring if your worried about it. Les just say its going to require a budget!!
-
Update :
The reason for the DDoS was well known for our ISP, there has been warnings for DDoS to all the banks and company's that deal with money transfer - Thats how we got affected.
