DDos attack on UDP port 123

  • Hi all and thanks for your time.

    For the past week I've been under a DDos attack. It is stopping my access to the internet and stopping my site from being accessed. I have been on to my ISP and all they can seem to do is block the IP's involved. That does not help as hours later the IP changes and the attack continues.
    The attack is getting as far as my PFsense and the firewall is dropping the packets as it is supposed to. There are over 12000 requests per second coming in though and it's maxing out my CPU.
    Can someone help me with this?

    Thank you.

  • LAYER 8 Global Moderator

    so 123, or ntp?  Are you running a ntp server that you did not update the config on?  Have you been living in a cave - there has been huge issues with ntp attacks.  Prob using you as source for ntp attack.  Can you post some of these queries on a sniff?  You sure you just didn't list your IP in pool.ntp.org and set your bandwidth too high.  If you set your bandwidth in for a server in ntp org to gig, your going to get a lot of queries ;)

    I have my serve in pool.ntp but I set my bandwidth to 384k, and get about 2 queries a second

  • Yes ntp.
    No I am not running an ntp server and the ntp service is not running on my pfsense.
    It is an awesome cave. I know about the issues with the ntp attacks but I don't know how to stop them.
    Like I said my PFsense is dropping all the packets.

    Anything else?

  • LAYER 8 Global Moderator

    Well if didn't open the port, and not listening on ntp then yes its either attack against you or mistake.  If your not answering these ntp queries then if was pool you would drop off the list because your server has to maintain a score of 10 to be listed.

    Can you post some of these packets..  So for example here is sniff of normal ntp query and my server answering..  Lets see some of these 12k pps and what is in them - is a actual valid query or someone running the ntp attack against your machine?

    Your going to need to change your IP address, or contact your ISP and have them block all 123 to you..  If it really a ddos, there is not much you can do at your end..  You need to move (change ip) or get your isp to block it.

    Are the packets all coming from same IP, same netblock or all over the board..  See in my below traces for ntp, normally running a ntp server will get you IPs from all over the place.

  • When they are coming in they are only coming in from one ip address. Since last Friday there have been about 5 or 6 different ip's.
    I have been on to my isp and asked them to look into it and to block all ntp requests but they said they couldn't.
    After going back and forth with them for a week asking them to do something their top tier tech support's answer was to call the cops.
    Below is a screen shot of the latest ip.
    I was thinking I would have to change my ip's but if this is not random and someone is directing it at me then they will change with me.

  • You're just unlucky to be singled out as a target for an NTP amplification DDoS even if you don't have an NTP service open. It can happen if your IP address looks otherwise "interesting" for such attacks because you have a public web site (for example) open on the IP address.

  • LAYER 8 Global Moderator

    That sniff looks very odd, the source port is 80 (http)..  So yeah really look like amplification attack since your server would sent traffic back to you would assume a http server on that IP.  Could you actually grab one of the packets and see what is in it.. If they are asking you for listing of your clients, which is one of the known attack vectors.

    That network shows as

    inetnum: -
    netname:        JavaPipeLLC
    descr:          DDoS protected services EUROPE
    country:        RO

    You could contact them about traffic that looks to be coming from their network - which in reality is most likely not, they are most likely the ones under attack.

    person:        Iosif Rapan
    address:        Strada Rozelor, Nr.11, Bl. G3, Ap. 15, Otelu Rosu
    phone:          +1.8009181890
    nic-hdl:        IR1497-RIPE
    mnt-by:        VOXILITY-MNT
    source:        RIPE # Filtered
    abuse-mailbox:  abuse-admin@javapipe.com

    Seems kind of pointless to try and use you as amplification if your not answering their queries.  I would change your IP, since it doesn't seem your the one under attack but a pawn in their game of attacking that source IP an port.

  • I have contacted the last IP address owner and they are under attack.
    It is as you say they are trying to use our ip for amplification. It is annoying though as it is not working for them and yet they still use my ip.
    There is a new IP hitting me now  >:(  below is a packet.

  • LAYER 8 Global Moderator

    Yup so they are trying to use to attack this guy

    49.103.176.in-addr.arpa. 10800  IN      SOA    ns1.xserver.ua. vitaliy.xserver.

    inetnum: -
    netname:        XServer-IP-Network-6
    descr:          PE Ivanov Vitaliy Sergeevich
    country:        UA

    Yup as you highlighted they are requesting your monitor list..  Which would be a LOT Of data, for their one small query that you would send in that direction.

    I would really just change your IP dude..  Should be as simple as changing your mac and renew your dhcp lease.

  • We have 30 static ip's so it's a little more involved than that.
    I'll change them on Monday as I'm not in the mood for all the records that will have to be changed to accommodated them.
    Right now I need a beer.

    Thanks for all the info. Have a great weekend!!

  • LAYER 8 Global Moderator

    So they are hitting all 30 of your IPs?  Or just 1?

Log in to reply