Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NTP DDoS

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 936 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y Offline
      yon
      last edited by

      i have dns server using udp, how i do block the attacks?  i have no find setup in pfsense.  :'(

      i get the report:

      our DDoS mitigation system detected attacks against your machine, at 13:02, 13:16 and 13:41 GMT today.
      Here are our logs of these incidents:

      Time: 13:02
      Attack method: NTP Reflection
      Attack type: udp_flood
      Initial attack power: 254562 packets per second
      Peak attack power: 254562 packets per second
      Attack direction: incoming
      Attack protocol: udp
      Total incoming traffic: 918 mbps
      Total outgoing traffic: 0 mbps
      Total incoming pps: 254562 packets per second

      Time: 13:16
      Attack method: NTP Reflection
      Attack type: udp_flood
      Initial attack power: 263489 packets per second
      Peak attack power: 263489 packets per second
      Attack direction: incoming
      Attack protocol: udp
      Total incoming traffic: 943 mbps
      Total outgoing traffic: 0 mbps
      Total incoming pps: 263489 packets per second

      Time: 14:31
      Attack method: NTP Reflection
      Attack type: udp_flood
      Initial attack power: 279938 packets per second
      Peak attack power: 279938 packets per second
      Attack direction: incoming
      Attack protocol: udp
      Total incoming traffic: 997 mbps
      Total outgoing traffic: 0 mbps
      Total incoming pps: 279938 packets per second

      If you are interested in free peering for clearnet and dn42,contact me !

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        "how i do block the attacks?"

        You can not mitigate a Volumetric attack at the end of the pipe, it has to be blocked upstream.  So it never fills up your pipe.

        Looks like from those it was already mitigated upstream from you.  And they are just letting you know.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • Y Offline
          yon
          last edited by

          i have own BGP and ASN, pfsense is  running BGP FRR.  now only for ipv6.

          ipv4 using upstream  vpn forword to my localhost.

          I need to think about how I can prevent this attack.

          If you are interested in free peering for clearnet and dn42,contact me !

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            And again it is not possible to stop a volumetric attack at the end of the pipe..  You could stop advertising whatever IP they are attacking so the traffic does not go down your pipe, etc..

            Why do people not understand this?

            Only way to stop/mitigate such an attack is to have such a fat pipe that the traffic does not fill it, or make it so the traffic does not go down your pipe… From what you posted the amount of traffic was gig

            Total incoming traffic: 943 mbps

            Do you have 2ge or 10ge, then that attack would not be an issue and you could ride it out and just drop the packets at your end.  But if you only have 1 ge, then yeah that is going to fill up your pipe and you have problem..

            How we do it at work, we have our own ASN and large IP space.. Is working with https://www.arbornetworks.com/ddos-protection-products

            If a volumetric attack is detected the traffic is diverted upstream before it is sent to us..

            While your firewall/IPS or Load balancer can help against an attack overloading your server that is being attacked.  If the attack is purely volumetric and fills up you pipe there is no way to mitigate/stop it other than upstream from your pipe.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • Y Offline
              yon
              last edited by

              yes, but i want to become small isp for my local.

              so i need study how do it.

              now they said 200G attack today.

              Hello,
              We have just received an attack  in excess of 200gbit towards your VM.
              We have null routed your IP to prevent our transit ports from becoming saturated

              If you are interested in free peering for clearnet and dn42,contact me !

              1 Reply Last reply Reply Quote 0
              • Y Offline
                yon
                last edited by

                @johnpoz:

                And again it is not possible to stop a volumetric attack at the end of the pipe..  You could stop advertising whatever IP they are attacking so the traffic does not go down your pipe, etc..

                Why do people not understand this?

                Only way to stop/mitigate such an attack is to have such a fat pipe that the traffic does not fill it, or make it so the traffic does not go down your pipe… From what you posted the amount of traffic was gig

                Total incoming traffic: 943 mbps

                Do you have 2ge or 10ge, then that attack would not be an issue and you could ride it out and just drop the packets at your end.  But if you only have 1 ge, then yeah that is going to fill up your pipe and you have problem..

                How we do it at work, we have our own ASN and large IP space.. Is working with https://www.arbornetworks.com/ddos-protection-products

                If a volumetric attack is detected the traffic is diverted upstream before it is sent to us..

                While your firewall/IPS or Load balancer can help against an attack overloading your server that is being attacked.  If the attack is purely volumetric and fills up you pipe there is no way to mitigate/stop it other than upstream from your pipe.

                if you will, we can bgp peering.  now i have add more bgp nodes.

                If you are interested in free peering for clearnet and dn42,contact me !

                1 Reply Last reply Reply Quote 0
                • jahonixJ Offline
                  jahonix
                  last edited by

                  @yon:

                  so i need study how do it.

                  You cannot do anything against it.
                  Only your upstream provider where you get your traffic from can prevent this. And obviously they did.

                  Again, you cannot do it on your side of the cable. No matter how much you study.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    If you want to become a small ISP then you would need to partner with 1 of the big boys to mitigate such attacks for you..

                    Very large volumetric ddos can only be mitigated by carrier level sort of traffic manipulation…

                    While you can null route small chunks.. Once you null route a specific portion of your address space your dead anyway and the ddos won..

                    Small ISPs get taken offline all the time... Shoot even large ones can be taken down if enough traffic gets pushed towards them from enough places..  Zues botnet was a major example of this.. When the parent ISPs cut off the 2 minor ISPs where a lot of the C&C was being handled.  So all of the normal users to that ISP just went away ;)  No Internet for YOU!! ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      Harvy66
                      last edited by

                      DDOS protection requires a certain level of expertise and specialization. You're going to need more info on the topic that what a general internet forum can provide. Unless you're working at my State Uni, which has over 1Tb/s of backbone connection, there's not much you can do.

                      My ISP has handled DDOS attacks by purchasing more bandwidth temporarily. I am not sure how large the attacks are, but even low end DDOS attacks are quire large these days.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.