NTP DDoS
-
i have dns server using udp, how i do block the attacks? i have no find setup in pfsense. :'(
i get the report:
our DDoS mitigation system detected attacks against your machine, at 13:02, 13:16 and 13:41 GMT today.
Here are our logs of these incidents:Time: 13:02
Attack method: NTP Reflection
Attack type: udp_flood
Initial attack power: 254562 packets per second
Peak attack power: 254562 packets per second
Attack direction: incoming
Attack protocol: udp
Total incoming traffic: 918 mbps
Total outgoing traffic: 0 mbps
Total incoming pps: 254562 packets per secondTime: 13:16
Attack method: NTP Reflection
Attack type: udp_flood
Initial attack power: 263489 packets per second
Peak attack power: 263489 packets per second
Attack direction: incoming
Attack protocol: udp
Total incoming traffic: 943 mbps
Total outgoing traffic: 0 mbps
Total incoming pps: 263489 packets per secondTime: 14:31
Attack method: NTP Reflection
Attack type: udp_flood
Initial attack power: 279938 packets per second
Peak attack power: 279938 packets per second
Attack direction: incoming
Attack protocol: udp
Total incoming traffic: 997 mbps
Total outgoing traffic: 0 mbps
Total incoming pps: 279938 packets per second -
"how i do block the attacks?"
You can not mitigate a Volumetric attack at the end of the pipe, it has to be blocked upstream. So it never fills up your pipe.
Looks like from those it was already mitigated upstream from you. And they are just letting you know.
-
i have own BGP and ASN, pfsense is running BGP FRR. now only for ipv6.
ipv4 using upstream vpn forword to my localhost.
I need to think about how I can prevent this attack.
-
And again it is not possible to stop a volumetric attack at the end of the pipe.. You could stop advertising whatever IP they are attacking so the traffic does not go down your pipe, etc..
Why do people not understand this?
Only way to stop/mitigate such an attack is to have such a fat pipe that the traffic does not fill it, or make it so the traffic does not go down your pipe… From what you posted the amount of traffic was gig
Total incoming traffic: 943 mbps
Do you have 2ge or 10ge, then that attack would not be an issue and you could ride it out and just drop the packets at your end. But if you only have 1 ge, then yeah that is going to fill up your pipe and you have problem..
How we do it at work, we have our own ASN and large IP space.. Is working with https://www.arbornetworks.com/ddos-protection-products
If a volumetric attack is detected the traffic is diverted upstream before it is sent to us..
While your firewall/IPS or Load balancer can help against an attack overloading your server that is being attacked. If the attack is purely volumetric and fills up you pipe there is no way to mitigate/stop it other than upstream from your pipe.
-
yes, but i want to become small isp for my local.
so i need study how do it.
now they said 200G attack today.
Hello,
We have just received an attack in excess of 200gbit towards your VM.
We have null routed your IP to prevent our transit ports from becoming saturated -
And again it is not possible to stop a volumetric attack at the end of the pipe.. You could stop advertising whatever IP they are attacking so the traffic does not go down your pipe, etc..
Why do people not understand this?
Only way to stop/mitigate such an attack is to have such a fat pipe that the traffic does not fill it, or make it so the traffic does not go down your pipe… From what you posted the amount of traffic was gig
Total incoming traffic: 943 mbps
Do you have 2ge or 10ge, then that attack would not be an issue and you could ride it out and just drop the packets at your end. But if you only have 1 ge, then yeah that is going to fill up your pipe and you have problem..
How we do it at work, we have our own ASN and large IP space.. Is working with https://www.arbornetworks.com/ddos-protection-products
If a volumetric attack is detected the traffic is diverted upstream before it is sent to us..
While your firewall/IPS or Load balancer can help against an attack overloading your server that is being attacked. If the attack is purely volumetric and fills up you pipe there is no way to mitigate/stop it other than upstream from your pipe.
if you will, we can bgp peering. now i have add more bgp nodes.
-
@yon:
so i need study how do it.
You cannot do anything against it.
Only your upstream provider where you get your traffic from can prevent this. And obviously they did.Again, you cannot do it on your side of the cable. No matter how much you study.
-
If you want to become a small ISP then you would need to partner with 1 of the big boys to mitigate such attacks for you..
Very large volumetric ddos can only be mitigated by carrier level sort of traffic manipulation…
While you can null route small chunks.. Once you null route a specific portion of your address space your dead anyway and the ddos won..
Small ISPs get taken offline all the time... Shoot even large ones can be taken down if enough traffic gets pushed towards them from enough places.. Zues botnet was a major example of this.. When the parent ISPs cut off the 2 minor ISPs where a lot of the C&C was being handled. So all of the normal users to that ISP just went away ;) No Internet for YOU!! ;)
-
DDOS protection requires a certain level of expertise and specialization. You're going to need more info on the topic that what a general internet forum can provide. Unless you're working at my State Uni, which has over 1Tb/s of backbone connection, there's not much you can do.
My ISP has handled DDOS attacks by purchasing more bandwidth temporarily. I am not sure how large the attacks are, but even low end DDOS attacks are quire large these days.
