HOWTO: Stop NTP amplification attacks from reaching your nodes!

Mun · Feb 20, 2014

Francisco said:
if brctl --help | grep -q "addbr"; then
brctl can be installed and will answer even if no bridge exists.

You'd be better off checking if /proc/sys/net/bridge-nf-call-iptables exists or not.

If it does, a bridge is active.

Francisco

Alright, ill start working on that now

Thanks

Mun · Feb 20, 2014

As per @Francisco's suggestion I have changed how I lookup a bridge.

Source: http://cdn.content-network.net/Mun/apps/frantp/0.6a/source.txt

Http://

wget http://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -

https://

wget https://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -

Code change:

if [ -a "/proc/sys/net/bridge/bridge-nf-call-iptables" ]; then

#
# This allows us to check if the bridge exists in a more appropriate way.
#

Anymore suggestions?

Mun

bzImage · Feb 21, 2014

First they came for the Socialists, and I did not speak out-- Because I was not a Socialist.
Then they came for the Trade Unionists, and I did not speak out-- Because I was not a Trade Unionist.
Then they came for the Jews, and I did not speak out-- Because I was not a Jew.
Then they came for me--and there was no one left to speak for me.

Instead of looking for the next get rich quick scheme remember when a good portion of the net went dark because this exploit was used to take level3 offline. Food for thought.

Virtovo · Feb 22, 2014

Has anyone seen any issues with conntrack as a result of this fix?

Francisco · Feb 22, 2014

Virtovo said:
Has anyone seen any issues with conntrack as a result of this fix?

Not on our nodes, no.

Francisco

TrentaHost · Feb 26, 2014

Thank You for sharing this Francisco

drmike · Feb 26, 2014

So help a sad person out...

CentOS 5...

sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1

error: "net.bridge.bridge-nf-call-iptables" is an unknown key

So is the issue the CentOS version?

Francisco · Feb 26, 2014

drmike said:
So help a sad person out...

CentOS 5...

sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1

error: "net.bridge.bridge-nf-call-iptables" is an unknown key
So is the issue the CentOS version?

Is it an OpenVZ node or a KVM?

sysctl -a | grep bridge

Francisco

Magiobiwan · Feb 26, 2014

If there's not a bridge set up, then that key won't exist. On OpenVZ nodes, there shouldn't be a bridge.

rapidnode · Feb 27, 2014

Thanks for sharing this! Also, make sure your conntrack tables don't fill up =)

Mun · Feb 27, 2014

drmike said:
So help a sad person out...

CentOS 5...

sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1

error: "net.bridge.bridge-nf-call-iptables" is an unknown key

So is the issue the CentOS version?

What version are you using to run this, I assume you are using the script. As of current Magiobiwans script simply throws it in place, as did my initial versions. If you use 0.6a You shouldn't have that issue. I also suggest you remove the 'net.bridge.bridge-nf-call-iptables = 1' from your /etc/systl.conf if you aren't using openVZ as you don't need it.

Mun

splitice · Mar 27, 2014

A late addition to the thread:

iptables -A FORWARD ! -f -p udp -m multiport --ports 123 -m u32 --u32 "0>>22&0x3C@8&0xFF=42" -j DROP
Will block all UDP monlist packet IN or OUT allowing you to also stop any MONLIST packets that may leak through hardware protection (of course this is not a substitute for good protection).

A slightly altered variant of this rule has been tested with a stresser

key900 · Mar 13, 2015

Great work seems good way.

X3host · May 18, 2015

Is this work with openvz OS ??

Francisco · May 19, 2015

CoMBoZo said:
Is this work with openvz OS ??

This just stops your VM's from being used to DDOS other people, it won't stop NTP floods from hitting you straight in the face.

Francisco

VPSclub · Feb 13, 2016

Helpful tutorial, thanks.

Is there any way to stop DNS amplification attack? Any tutorial on this, would be highly appreciated.

PraHost · Jun 3, 2023

Very helpful. i will keep handy these tuts

HOWTO: Stop NTP amplification attacks from reaching your nodes!

Mun

Never Forget

Mun

Never Forget

bzImage

New Member

Virtovo

New Member

Francisco

Company Lube

TrentaHost

New Member

drmike

100% Tier-1 Gogent

Francisco

Company Lube

Magiobiwan

Insert Witty Statement Here

rapidnode

New Member

Mun

Never Forget

splitice

Just a little bit crazy...

key900

New Member

X3host

New Member

Francisco

Company Lube

VPSclub

New Member

PraHost

New Member