NTP DDoS



  • i have dns server using udp, how i do block the attacks?  i have no find setup in pfsense.  :'(

    i get the report:

    our DDoS mitigation system detected attacks against your machine, at 13:02, 13:16 and 13:41 GMT today.
    Here are our logs of these incidents:

    Time: 13:02
    Attack method: NTP Reflection
    Attack type: udp_flood
    Initial attack power: 254562 packets per second
    Peak attack power: 254562 packets per second
    Attack direction: incoming
    Attack protocol: udp
    Total incoming traffic: 918 mbps
    Total outgoing traffic: 0 mbps
    Total incoming pps: 254562 packets per second

    Time: 13:16
    Attack method: NTP Reflection
    Attack type: udp_flood
    Initial attack power: 263489 packets per second
    Peak attack power: 263489 packets per second
    Attack direction: incoming
    Attack protocol: udp
    Total incoming traffic: 943 mbps
    Total outgoing traffic: 0 mbps
    Total incoming pps: 263489 packets per second

    Time: 14:31
    Attack method: NTP Reflection
    Attack type: udp_flood
    Initial attack power: 279938 packets per second
    Peak attack power: 279938 packets per second
    Attack direction: incoming
    Attack protocol: udp
    Total incoming traffic: 997 mbps
    Total outgoing traffic: 0 mbps
    Total incoming pps: 279938 packets per second


  • LAYER 8 Global Moderator

    "how i do block the attacks?"

    You can not mitigate a Volumetric attack at the end of the pipe, it has to be blocked upstream.  So it never fills up your pipe.

    Looks like from those it was already mitigated upstream from you.  And they are just letting you know.



  • i have own BGP and ASN, pfsense is  running BGP FRR.  now only for ipv6.

    ipv4 using upstream  vpn forword to my localhost.

    I need to think about how I can prevent this attack.


  • LAYER 8 Global Moderator

    And again it is not possible to stop a volumetric attack at the end of the pipe..  You could stop advertising whatever IP they are attacking so the traffic does not go down your pipe, etc..

    Why do people not understand this?

    Only way to stop/mitigate such an attack is to have such a fat pipe that the traffic does not fill it, or make it so the traffic does not go down your pipe… From what you posted the amount of traffic was gig

    Total incoming traffic: 943 mbps

    Do you have 2ge or 10ge, then that attack would not be an issue and you could ride it out and just drop the packets at your end.  But if you only have 1 ge, then yeah that is going to fill up your pipe and you have problem..

    How we do it at work, we have our own ASN and large IP space.. Is working with https://www.arbornetworks.com/ddos-protection-products

    If a volumetric attack is detected the traffic is diverted upstream before it is sent to us..

    While your firewall/IPS or Load balancer can help against an attack overloading your server that is being attacked.  If the attack is purely volumetric and fills up you pipe there is no way to mitigate/stop it other than upstream from your pipe.



  • yes, but i want to become small isp for my local.

    so i need study how do it.

    now they said 200G attack today.

    Hello,
    We have just received an attack  in excess of 200gbit towards your VM.
    We have null routed your IP to prevent our transit ports from becoming saturated



  • @johnpoz:

    And again it is not possible to stop a volumetric attack at the end of the pipe..  You could stop advertising whatever IP they are attacking so the traffic does not go down your pipe, etc..

    Why do people not understand this?

    Only way to stop/mitigate such an attack is to have such a fat pipe that the traffic does not fill it, or make it so the traffic does not go down your pipe… From what you posted the amount of traffic was gig

    Total incoming traffic: 943 mbps

    Do you have 2ge or 10ge, then that attack would not be an issue and you could ride it out and just drop the packets at your end.  But if you only have 1 ge, then yeah that is going to fill up your pipe and you have problem..

    How we do it at work, we have our own ASN and large IP space.. Is working with https://www.arbornetworks.com/ddos-protection-products

    If a volumetric attack is detected the traffic is diverted upstream before it is sent to us..

    While your firewall/IPS or Load balancer can help against an attack overloading your server that is being attacked.  If the attack is purely volumetric and fills up you pipe there is no way to mitigate/stop it other than upstream from your pipe.

    if you will, we can bgp peering.  now i have add more bgp nodes.



  • @yon:

    so i need study how do it.

    You cannot do anything against it.
    Only your upstream provider where you get your traffic from can prevent this. And obviously they did.

    Again, you cannot do it on your side of the cable. No matter how much you study.


  • LAYER 8 Global Moderator

    If you want to become a small ISP then you would need to partner with 1 of the big boys to mitigate such attacks for you..

    Very large volumetric ddos can only be mitigated by carrier level sort of traffic manipulation…

    While you can null route small chunks.. Once you null route a specific portion of your address space your dead anyway and the ddos won..

    Small ISPs get taken offline all the time... Shoot even large ones can be taken down if enough traffic gets pushed towards them from enough places..  Zues botnet was a major example of this.. When the parent ISPs cut off the 2 minor ISPs where a lot of the C&C was being handled.  So all of the normal users to that ISP just went away ;)  No Internet for YOU!! ;)



  • DDOS protection requires a certain level of expertise and specialization. You're going to need more info on the topic that what a general internet forum can provide. Unless you're working at my State Uni, which has over 1Tb/s of backbone connection, there's not much you can do.

    My ISP has handled DDOS attacks by purchasing more bandwidth temporarily. I am not sure how large the attacks are, but even low end DDOS attacks are quire large these days.


Log in to reply