HOWTO: Stop NTP amplification attacks from reaching your nodes!

Discussion in 'Tutorials and Guides' started by Francisco, Feb 18, 2014.

  1. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    you could just check the output of brctl list and see if they have a bridge or not?

    If they don't have a bridge (openvz) then the entry won't 'do' anything wrong, it won't even load since the sysctl params won't exist.

    Francisco
     
  2. Magiobiwan

    Magiobiwan Insert Witty Statement Here Verified Provider

    374
    112
    May 15, 2013
    Fran, you are awesome. As it happens your posting this coincided with several of our nodes being hammered from outbound attacks thanks to misconfigured NTP servers. I feel obliged to purchase a VPS from you now.
     
  3. Magiobiwan

    Magiobiwan Insert Witty Statement Here Verified Provider

    374
    112
    May 15, 2013
    I modified Mun's script slightly to make it also edit /etc/rc.local. The new script version can be found at...


    wget http://darkrai.unovarpgnet.net/antintp.sh -O - | bash

    No HTTPS for it; my server in SEA doesn't have a cert. You could download over HTTPS I suppose, it'd just complain it's invalid. 
     
  4. TruvisT

    TruvisT Server Management Specialist Verified Provider

    398
    144
    May 16, 2013
    jacksonM and MannDude like this.
  5. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    Thanks!

    Anyone had contact with solusvm or is that a lost cause?

    Francisco
     
  6. Virtovo

    Virtovo New Member Verified Provider

    362
    149
    Dec 19, 2013
    I've dropped them a ticket as you've specifically referenced it.  I have no prior experience with SolusVM; however they are quite quickly reversing bad things I have read about them.  This week they have offered swift resolution to two issues I had with one of them being a feature added that is in the latest beta.  Still not going to let IPv6 handling go.  Wish there was a panel that worked and assigned /64s!
     
  7. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    K, cool. Sorry for coming off as nagging, but it'd likely chop down the amount of bandwidth involved in floods if they merged it.

    Francisco
     
  8. Virtovo

    Virtovo New Member Verified Provider

    362
    149
    Dec 19, 2013
    No of course.  I didn't realise the the history you had with SolusVM.  I have since read some threads about it.
     
  9. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    There's more that isn't public ;p

    With that being said, this thread is about something much bigger.

    Francisco
     
  10. Virtovo

    Virtovo New Member Verified Provider

    362
    149
    Dec 19, 2013
    Agreed.  Are you spreading the word further afield?
     
  11. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    As I can but WHT doesn't seem to give much of a crap about it.

    I have a lot of other projects going on right now so I can't really pump tons

    of time into awareness on this.

    Maybe I should try to get the cloudflare guy to retweet this link and or write

    a small blurb about it? I'll tweet him and see what happens.

    Francisco
     
    Last edited by a moderator: Feb 19, 2014
  12. Virtovo

    Virtovo New Member Verified Provider

    362
    149
    Dec 19, 2013
    Maybe drop a message to the NTF: http://nwtime.org/ they operate http://openntpproject.org/
     
  13. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
  14. mcmyhost

    mcmyhost New Member

    49
    11
    Nov 22, 2013
    I've been looking around tcpdump and cannot find the correct way to filter IPv6.

    Perhaps you've had better luck?
     
  15. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    I've not had time to look into the v6 packets for it.

    I've been caught up with backups & working on an autonull for fiberhub.

    Francisco
     
  16. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    Does all OS have brctl as a command for brige-utils? I am trying to test if the bridge exists via the "addbr" command.

    Mun

    Update:

    https://cdn.content-network.net/Mun/apps/frantp/0.2/source.txt <-- here is the new source. I added the below code to check to see if brctl is installed, and if so then run the


    "net.bridge.bridge-nf-call-iptables = 1" echo into sysctl.conf
    Code:
    if brctl --help | grep -q "addbr"; then
        if grep -q "net.bridge.bridge-nf-call-iptables = 1" "/etc/sysctl.conf"; then
        echo "Sysctl already done!"
        else
        echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
        sysctl -p
        fi
    else
        echo "No bridge installed..."
    fi
    
    I also added magiobiwans rc.local code as well as adding his script to my server, so that it could be accessed over https://.

    Code:
    For https://
    wget https://cdn.content-network.net/Mun/apps/frantp/0.2/script.sh -O - | bash -
    
    for http://
    wget http://cdn.content-network.net/Mun/apps/frantp/0.2/script.sh -O - | bash -
    
    for Magiobiwan's script over https://
    wget https://cdn.content-network.net/Mun/apps/frantp/magiobiwan/1.2/script.sh -O - | bash -
    
     
    Last edited by a moderator: Feb 20, 2014
  17. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    New Version 0.5! Checks to see if Magiobiwan's rc.local code chunk is already installed, and if so skips. This prevents duplicates in rc.local!

    Source: https://cdn.content-network.net/Mun/apps/frantp/0.5/source.txt


    For https://
    wget https://cdn.content-network.net/Mun/apps/frantp/0.5/script.sh -O - | bash -

    for http://
    wget http://cdn.content-network.net/Mun/apps/frantp/0.5/script.sh -O - | bash -

    Mun
     
    Last edited by a moderator: Feb 20, 2014
    Magiobiwan likes this.
  18. Magiobiwan

    Magiobiwan Insert Witty Statement Here Verified Provider

    374
    112
    May 15, 2013
    Now all we need to make it do is solve world hunger and create world peace! 
     
  19. mcmyhost

    mcmyhost New Member

    49
    11
    Nov 22, 2013
    $worldpeace = false;
    $worldhunger = false;

    if $worldpeace = false {
    $worldpeace = true;
    }

    if $worldhunger = false {
    $worldhunger = true;
    }

    Simple!
     
    Last edited by a moderator: Feb 20, 2014
    Magiobiwan likes this.
  20. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    if brctl --help | grep -q "addbr"; thenbrctl can be installed and will answer even if no bridge exists.
    You'd be better off checking if /proc/sys/net/bridge-nf-call-iptables exists or not.

    If it does, a bridge is active.

    Francisco