HOWTO: Stop NTP amplification attacks from reaching your nodes!

Francisco

Company Lube
Verified Provider
KK, think I will make another one without the bridge adapter for people whom wont be using it on a VPS setup.
you could just check the output of brctl list and see if they have a bridge or not?

If they don't have a bridge (openvz) then the entry won't 'do' anything wrong, it won't even load since the sysctl params won't exist.

Francisco
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
Fran, you are awesome. As it happens your posting this coincided with several of our nodes being hammered from outbound attacks thanks to misconfigured NTP servers. I feel obliged to purchase a VPS from you now.
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
I modified Mun's script slightly to make it also edit /etc/rc.local. The new script version can be found at...


wget http://darkrai.unovarpgnet.net/antintp.sh -O - | bash

No HTTPS for it; my server in SEA doesn't have a cert. You could download over HTTPS I suppose, it'd just complain it's invalid. 
 

Virtovo

New Member
Verified Provider
Thanks!


Anyone had contact with solusvm or is that a lost cause?


Francisco
I've dropped them a ticket as you've specifically referenced it.  I have no prior experience with SolusVM; however they are quite quickly reversing bad things I have read about them.  This week they have offered swift resolution to two issues I had with one of them being a feature added that is in the latest beta.  Still not going to let IPv6 handling go.  Wish there was a panel that worked and assigned /64s!
 

Francisco

Company Lube
Verified Provider
I've dropped them a ticket as you've specifically referenced it.  I have no prior experience with SolusVM; however they are quite quickly reversing bad things I have read about them.  This week they have offered swift resolution to two issues I had with one of them being a feature added that is in the latest beta.  Still not going to let IPv6 handling go.  Wish there was a panel that worked and assigned /64s!
K, cool. Sorry for coming off as nagging, but it'd likely chop down the amount of bandwidth involved in floods if they merged it.

Francisco
 

Virtovo

New Member
Verified Provider
K, cool. Sorry for coming off as nagging, but it'd likely chop down the amount of bandwidth involved in floods if they merged it.


Francisco
No of course.  I didn't realise the the history you had with SolusVM.  I have since read some threads about it.
 

Francisco

Company Lube
Verified Provider
No of course.  I didn't realise the the history you had with SolusVM.  I have since read some threads about it.
There's more that isn't public ;p

With that being said, this thread is about something much bigger.

Francisco
 

Francisco

Company Lube
Verified Provider
Agreed.  Are you spreading the word further afield?
As I can but WHT doesn't seem to give much of a crap about it.

I have a lot of other projects going on right now so I can't really pump tons

of time into awareness on this.

Maybe I should try to get the cloudflare guy to retweet this link and or write

a small blurb about it? I'll tweet him and see what happens.

Francisco
 
Last edited by a moderator:

Virtovo

New Member
Verified Provider
As I can but WHT doesn't seem to give much of a crap about it.


I have a lot of other projects going on right now so I can't really pump tons


of time into awareness on this.


Maybe I should try to get the cloudflare guy to retweet this link and or write


a small blurb about it? I'll tweet him and see what happens.


Francisco
Maybe drop a message to the NTF: http://nwtime.org/ they operate http://openntpproject.org/
 

mcmyhost

New Member
I've been looking around tcpdump and cannot find the correct way to filter IPv6.

Perhaps you've had better luck?
 

Francisco

Company Lube
Verified Provider
I've been looking around tcpdump and cannot find the correct way to filter IPv6.

Perhaps you've had better luck?
I've not had time to look into the v6 packets for it.

I've been caught up with backups & working on an autonull for fiberhub.

Francisco
 

Mun

Never Forget
Does all OS have brctl as a command for brige-utils? I am trying to test if the bridge exists via the "addbr" command.

Mun

Update:

https://cdn.content-network.net/Mun/apps/frantp/0.2/source.txt <-- here is the new source. I added the below code to check to see if brctl is installed, and if so then run the


"net.bridge.bridge-nf-call-iptables = 1" echo into sysctl.conf
Code:
if brctl --help | grep -q "addbr"; then
    if grep -q "net.bridge.bridge-nf-call-iptables = 1" "/etc/sysctl.conf"; then
    echo "Sysctl already done!"
    else
    echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
    sysctl -p
    fi
else
    echo "No bridge installed..."
fi
I also added magiobiwans rc.local code as well as adding his script to my server, so that it could be accessed over https://.

Code:
For https://
wget https://cdn.content-network.net/Mun/apps/frantp/0.2/script.sh -O - | bash -

for http://
wget http://cdn.content-network.net/Mun/apps/frantp/0.2/script.sh -O - | bash -

for Magiobiwan's script over https://
wget https://cdn.content-network.net/Mun/apps/frantp/magiobiwan/1.2/script.sh -O - | bash -
 
Last edited by a moderator:

Mun

Never Forget
New Version 0.5! Checks to see if Magiobiwan's rc.local code chunk is already installed, and if so skips. This prevents duplicates in rc.local!

Source: https://cdn.content-network.net/Mun/apps/frantp/0.5/source.txt


For https://
wget https://cdn.content-network.net/Mun/apps/frantp/0.5/script.sh -O - | bash -

for http://
wget http://cdn.content-network.net/Mun/apps/frantp/0.5/script.sh -O - | bash -

Mun
 
Last edited by a moderator:

Magiobiwan

Insert Witty Statement Here
Verified Provider
Now all we need to make it do is solve world hunger and create world peace! 
 

Francisco

Company Lube
Verified Provider
if brctl --help | grep -q "addbr"; thenbrctl can be installed and will answer even if no bridge exists.
You'd be better off checking if /proc/sys/net/bridge-nf-call-iptables exists or not.

If it does, a bridge is active.

Francisco
 
Top