HOWTO: Stop NTP amplification attacks from reaching your nodes!

Mun

Never Forget
if brctl --help | grep -q "addbr"; then
brctl can be installed and will answer even if no bridge exists.

You'd be better off checking if /proc/sys/net/bridge-nf-call-iptables exists or not.


If it does, a bridge is active.


Francisco
Alright, ill start working on that now :)

Thanks
 

Mun

Never Forget
As per @Francisco's suggestion I have changed how I lookup a bridge.

Source: http://cdn.content-network.net/Mun/apps/frantp/0.6a/source.txt


Http://

wget http://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -


https://

wget https://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -

Code change:


if [ -a "/proc/sys/net/bridge/bridge-nf-call-iptables" ]; then

#
# This allows us to check if the bridge exists in a more appropriate way.
#

Anymore suggestions?

Mun
 

bzImage

New Member
First they came for the Socialists, and I did not speak out-- Because I was not a Socialist.
Then they came for the Trade Unionists, and I did not speak out-- Because I was not a Trade Unionist.
Then they came for the Jews, and I did not speak out-- Because I was not a Jew.
Then they came for me--and there was no one left to speak for me.
 

Instead of looking for the next get rich quick scheme remember when a good portion of the net went dark because this exploit was used to take level3 offline. Food for thought.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
So help a sad person out...

CentOS 5...


sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1



error: "net.bridge.bridge-nf-call-iptables" is an unknown key

So is the issue the CentOS version?
 

Francisco

Company Lube
Verified Provider
So help a sad person out...

CentOS 5...

sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1


error: "net.bridge.bridge-nf-call-iptables" is an unknown key
So is the issue the CentOS version?
Is it an OpenVZ node or a KVM?

sysctl -a | grep bridge

Francisco
 

Magiobiwan

Insert Witty Statement Here
Verified Provider
If there's not a bridge set up, then that key won't exist. On OpenVZ nodes, there shouldn't be a bridge. 
 

Mun

Never Forget
So help a sad person out...

CentOS 5...


sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1



error: "net.bridge.bridge-nf-call-iptables" is an unknown key

So is the issue the CentOS version?
What version are you using to run this, I assume you are using the script. As of current Magiobiwans script simply throws it in place, as did my initial versions. If you use 0.6a You shouldn't have that issue. I also suggest you remove the 'net.bridge.bridge-nf-call-iptables = 1' from your /etc/systl.conf if you aren't using openVZ as you don't need it.

Mun
 

splitice

Just a little bit crazy...
Verified Provider
A late addition to the thread:


iptables -A FORWARD ! -f -p udp -m multiport --ports 123 -m u32 --u32 "0>>22&[email protected]&0xFF=42" -j DROP
Will block all UDP monlist packet IN or OUT allowing you to also stop any MONLIST packets that may leak through hardware protection (of course this is not a substitute for good protection).

A slightly altered variant of this rule has been tested with a stresser :)
 

VPSclub

New Member
Helpful tutorial, thanks.


Is there any way to stop DNS amplification attack? Any tutorial on this, would be highly appreciated.
 
Top