

Understanding and mitigating NTP-based DDoS attacks - jgrahamc
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

======
nmc
Very interesting (and frightening) about NTP, but I am afraid the first part
of this claim about SNMP is not accurate:

“ _Luckily, there are few open SNMP servers on the Internet and SNMP usually
requires authentication (although manly are poorly secured)._ ”

A 2012 study revealed 13k+ open SNMP servers amongst 25 million Dutch IPs
scanned [1].

[1] [Dutch] [http://www.itsx.com/files/2012-11-SNMP-
paper-v1.0.pdf](http://www.itsx.com/files/2012-11-SNMP-paper-v1.0.pdf)

~~~
yourad_io
Well, yes and no. They could make the argument that in "internet scale" (sic)
that still qualifies as "few" (at least when compared to the number of open
DNS resolvers).

On the other hand, the number of open DNS resolvers used in the attacks
described in the presentation (slides 7/8) were around 30K, and with a much
smaller amplification factor, so these numbers can still do some damage.

It would be interesting to know if there have been "hybrid" DDOS attacks,
utilizing multiple spoofed-origin+amplification methods.

------
yxhuvud
Yes, we have noticed this on a customer installation that has its traffic
increased from 47 to 69 Terabit/s during December.

Oh well, at least it only affect our installation and should not affect the
customer network more than that. They have a stupid amount of capacity.

------
jacksoncage
If your on Debian it's as easy as 'disable monitor', restart ntp and your
safe.

~~~
noselasd
Isn't the default pretty ok anyhow ? Atleast looking at the ntp.conf on a
raspbian/centos/fedora here, there's

    
    
       restrict  default kod notrap nomodify nopeer noquery
    

The noquery stops you from dumping the peer/monitor list.

------
gwu78
"The request packet is 234 bytes long. The response is 10 packets... toalling
4,460 bytes."

What is the size of a TAICLOCK response? (TAICLOCK is a more precise NTP
alterative.)

~~~
erichocean
Between 20 and 256 bytes. The packet received is modified and sent back, so
there is no amplification.

------
nobodyshere
One of our instances rented on Hetzner got involved a few days ago. 80GB of
outgoing traffic. We got blocked swiftly and unblocked quite soon after fixing
the problem.

