Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question : NTP DDoS attack

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vaskotoo
      last edited by

      But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.

      1 Reply Last reply Reply Quote 0
      • M Offline
        mer
        last edited by

        @vaskotoo:

        But I am not running NTP server. Its our users network, so I dont really know why we got the DDoS attack.

        If you're not running a public NTP server, then did you just see packets destined for port 123 during the DDoS?  or was it some other port? 
        If the provider is forwarding or letting this go to your address, then as dok said, they need to stop it.  The best you could do is not let it into your network.

        1 Reply Last reply Reply Quote 0
        • V Offline
          vaskotoo
          last edited by

          The Source port was 123 , and the Destination port was 37433
          Here there are 2 screenshots from the Packet Capture, the first is before I block everything, and the second is after I block everything - meanwhile the interface was excluded from the Load Balancing group we use, so no one used it for traffic.
          I have also config my Laptop with the WAN config and place it instead of the router, I got exactly the same traffic in.

          before.PNG
          before.PNG_thumb
          after.PNG
          after.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            I run a public ntp server, but I agree with dok with this caveat..  Never run any public service, unless you fully understand what your doing ;)

            Looks like to me you were under an attack via ntp amplification.. I spoof your IP and tell a ntp server hey I want the list of boxes talking to you (monlist, large amount of data normally) send it too me..

            You just making it worse sending back, hey that port is not open via icmp..

            There is nothing you can do when under a bandwidth attack other than move IPs or contact your isp to block the traffic up stream.. If they have filled up your pipe there is nothing you can do with a firewall to not have your pipe filled..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H Offline
              Harvy66
              last edited by

              If someone is flooding you with mail, there is nothing you can do at your mailbox to stop the flood. You need to go to your post office and tell them to stop it. In the case of NTP, you're lucky. They could block all NTP responses from getting to you, but then your NTP will not work, at least your internet will.

              1 Reply Last reply Reply Quote 0
              • V Offline
                vaskotoo
                last edited by

                Thank you for your reply, Harvy and johnpoz! Yes thats what was it a bunch of "zombies" flooding me with monlist request. I found the answer I was looking for Q1 .
                And that leads to the second question, is it really worthy to hide my IP behind bunch of proxy's so they never know my real address and knock on my real door(atleast minimize the chance of it) . Because the only way around I found was to switch to another IP provided by the ISP, But I am afraid that they know the address and might do it again so I consider change + proxy or I am wrong here?

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Who do you think you are hiding your IP from???  Your just sending everything to a proxy, that could be selling off that info for all you know.. Depends on how tight your tinfoil hat is ;)

                  Were you the actual target of the attack, or did some script kiddie somewhere make a typo in the ip he wanted to attack?

                  Do you run any specific service on your IP?  Or was this somebody you pissed off in a game or something?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    vaskotoo
                    last edited by

                    Thats the IP for all the users on our network ( 70+ ) And I dont know if some of them did something, but I experience the DDoS. On that IP all I got is one open port for the OpenVPN(random port) And week ago I have update the Pfsense to latest updates.
                    So far I see I can not really do much about preventing this for the future, its all in the hands of my ISP.
                    Is there really no suggestions how I can minimize the chance of being DDoS?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Don't piss anyone off ;)  Don't run any service(s) that might offend people. You know like a website stating your opinions ;)  Or you business that someone doesn't like..  Or someone could make money by taking you offline for a while..

                      You can work with your isp on what they can put in place to mitigate ddos via active monitoring if your worried about it.  Les just say its going to require a budget!!

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        vaskotoo
                        last edited by

                        Update :

                        The reason for the DDoS was well known for our ISP, there has been warnings for DDoS to all the banks and company's that deal with money transfer - Thats how we got affected.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.