Hacker News new | comments | show | ask | jobs | submit login
Understanding and mitigating NTP-based DDoS attacks (cloudflare.com)
40 points by jgrahamc 1377 days ago | hide | past | web | 8 comments | favorite

Very interesting (and frightening) about NTP, but I am afraid the first part of this claim about SNMP is not accurate:

Luckily, there are few open SNMP servers on the Internet and SNMP usually requires authentication (although manly are poorly secured).

A 2012 study revealed 13k+ open SNMP servers amongst 25 million Dutch IPs scanned [1].

[1] [Dutch] http://www.itsx.com/files/2012-11-SNMP-paper-v1.0.pdf

Well, yes and no. They could make the argument that in "internet scale" (sic) that still qualifies as "few" (at least when compared to the number of open DNS resolvers).

On the other hand, the number of open DNS resolvers used in the attacks described in the presentation (slides 7/8) were around 30K, and with a much smaller amplification factor, so these numbers can still do some damage.

It would be interesting to know if there have been "hybrid" DDOS attacks, utilizing multiple spoofed-origin+amplification methods.

Yes, we have noticed this on a customer installation that has its traffic increased from 47 to 69 Terabit/s during December.

Oh well, at least it only affect our installation and should not affect the customer network more than that. They have a stupid amount of capacity.

If your on Debian it's as easy as 'disable monitor', restart ntp and your safe.

Isn't the default pretty ok anyhow ? Atleast looking at the ntp.conf on a raspbian/centos/fedora here, there's

   restrict  default kod notrap nomodify nopeer noquery
The noquery stops you from dumping the peer/monitor list.

"The request packet is 234 bytes long. The response is 10 packets... toalling 4,460 bytes."

What is the size of a TAICLOCK response? (TAICLOCK is a more precise NTP alterative.)

Between 20 and 256 bytes. The packet received is modified and sent back, so there is no amplification.

One of our instances rented on Hetzner got involved a few days ago. 80GB of outgoing traffic. We got blocked swiftly and unblocked quite soon after fixing the problem.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact