Question : NTP DDoS attack
-
But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.
-
But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.
If you're not running a public NTP server, then did you just see packets destined for port 123 during the DDoS? or was it some other port?
If the provider is forwarding or letting this go to your address, then as dok said, they need to stop it. The best you could do is not let it into your network. -
The Source port was 123 , and the Destination port was 37433
Here there are 2 screenshots from the Packet Capture, the first is before I block everything, and the second is after I block everything - meanwhile the interface was excluded from the Load Balancing group we use, so no one used it for traffic.
I have also config my Laptop with the WAN config and place it instead of the router, I got exactly the same traffic in.
-
I run a public ntp server, but I agree with dok with this caveat.. Never run any public service, unless you fully understand what your doing ;)
Looks like to me you were under an attack via ntp amplification.. I spoof your IP and tell a ntp server hey I want the list of boxes talking to you (monlist, large amount of data normally) send it too me..
You just making it worse sending back, hey that port is not open via icmp..
There is nothing you can do when under a bandwidth attack other than move IPs or contact your isp to block the traffic up stream.. If they have filled up your pipe there is nothing you can do with a firewall to not have your pipe filled..
-
If someone is flooding you with mail, there is nothing you can do at your mailbox to stop the flood. You need to go to your post office and tell them to stop it. In the case of NTP, you're lucky. They could block all NTP responses from getting to you, but then your NTP will not work, at least your internet will.
-
Thank you for your reply, Harvy and johnpoz! Yes thats what was it a bunch of "zombies" flooding me with monlist request. I found the answer I was looking for Q1 .
And that leads to the second question, is it really worthy to hide my IP behind bunch of proxy's so they never know my real address and knock on my real door(atleast minimize the chance of it) . Because the only way around I found was to switch to another IP provided by the ISP, But I am afraid that they know the address and might do it again so I consider change + proxy or I am wrong here? -
Who do you think you are hiding your IP from??? Your just sending everything to a proxy, that could be selling off that info for all you know.. Depends on how tight your tinfoil hat is ;)
Were you the actual target of the attack, or did some script kiddie somewhere make a typo in the ip he wanted to attack?
Do you run any specific service on your IP? Or was this somebody you pissed off in a game or something?
-
Thats the IP for all the users on our network ( 70+ ) And I dont know if some of them did something, but I experience the DDoS. On that IP all I got is one open port for the OpenVPN(random port) And week ago I have update the Pfsense to latest updates.
So far I see I can not really do much about preventing this for the future, its all in the hands of my ISP.
Is there really no suggestions how I can minimize the chance of being DDoS? -
Don't piss anyone off ;) Don't run any service(s) that might offend people. You know like a website stating your opinions ;) Or you business that someone doesn't like.. Or someone could make money by taking you offline for a while..
You can work with your isp on what they can put in place to mitigate ddos via active monitoring if your worried about it. Les just say its going to require a budget!!
-
Update :
The reason for the DDoS was well known for our ISP, there has been warnings for DDoS to all the banks and company's that deal with money transfer - Thats how we got affected.
