HOWTO: Stop NTP amplification attacks from reaching your nodes!

Discussion in 'Tutorials and Guides' started by Francisco, Feb 18, 2014.

  1. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    Alright, ill start working on that now :)

    Thanks
     
  2. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    As per @Francisco's suggestion I have changed how I lookup a bridge.

    Source: http://cdn.content-network.net/Mun/apps/frantp/0.6a/source.txt


    Http://

    wget http://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -


    https://

    wget https://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -

    Code change:


    if [ -a "/proc/sys/net/bridge/bridge-nf-call-iptables" ]; then

    #
    # This allows us to check if the bridge exists in a more appropriate way.
    #

    Anymore suggestions?

    Mun
     
  3. bzImage

    bzImage New Member

    40
    39
    May 19, 2013
    First they came for the Socialists, and I did not speak out-- Because I was not a Socialist.
    Then they came for the Trade Unionists, and I did not speak out-- Because I was not a Trade Unionist.
    Then they came for the Jews, and I did not speak out-- Because I was not a Jew.
    Then they came for me--and there was no one left to speak for me.
     

    Instead of looking for the next get rich quick scheme remember when a good portion of the net went dark because this exploit was used to take level3 offline. Food for thought.
     
    Last edited by a moderator: Feb 21, 2014
  4. Virtovo

    Virtovo New Member Verified Provider

    362
    149
    Dec 19, 2013
    Has anyone seen any issues with conntrack as a result of this fix? 
     
  5. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    Not on our nodes, no.

    Francisco
     
  6. TrentaHost

    TrentaHost New Member

    6
    0
    Feb 26, 2014
    Thank You for sharing this Francisco
     
  7. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    So help a sad person out...

    CentOS 5...


    sysctl -p
    net.ipv4.ip_forward = 1
    net.ipv4.ip_forward = 1
    net.ipv6.conf.default.forwarding = 1
    net.ipv6.conf.all.forwarding = 1
    net.ipv4.conf.default.proxy_arp = 0
    net.ipv4.conf.all.rp_filter = 1
    kernel.sysrq = 1
    net.ipv4.conf.default.send_redirects = 1
    net.ipv4.conf.all.send_redirects = 0
    kernel.panic = 10
    net.bridge.bridge-nf-call-iptables = 1



    error: "net.bridge.bridge-nf-call-iptables" is an unknown key

    So is the issue the CentOS version?
     
  8. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    Is it an OpenVZ node or a KVM?

    sysctl -a | grep bridge

    Francisco
     
  9. Magiobiwan

    Magiobiwan Insert Witty Statement Here Verified Provider

    374
    112
    May 15, 2013
    If there's not a bridge set up, then that key won't exist. On OpenVZ nodes, there shouldn't be a bridge. 
     
    Francisco likes this.
  10. rapidnode

    rapidnode New Member Verified Provider

    8
    4
    Jun 28, 2013
    Thanks for sharing this! Also, make sure your conntrack tables don't fill up =)
     
    Francisco likes this.
  11. Mun

    Mun Never Forget

    892
    237
    May 9, 2013
    What version are you using to run this, I assume you are using the script. As of current Magiobiwans script simply throws it in place, as did my initial versions. If you use 0.6a You shouldn't have that issue. I also suggest you remove the 'net.bridge.bridge-nf-call-iptables = 1' from your /etc/systl.conf if you aren't using openVZ as you don't need it.

    Mun
     
  12. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    A late addition to the thread:


    iptables -A FORWARD ! -f -p udp -m multiport --ports 123 -m u32 --u32 "0>>22&[email protected]&0xFF=42" -j DROP
    Will block all UDP monlist packet IN or OUT allowing you to also stop any MONLIST packets that may leak through hardware protection (of course this is not a substitute for good protection).

    A slightly altered variant of this rule has been tested with a stresser :)
     
    Magiobiwan likes this.
  13. key900

    key900 New Member Verified Provider

    13
    0
    Nov 26, 2014
    Great work seems good way.
     
  14. X3host

    X3host New Member Verified Provider

    64
    8
    Jan 9, 2015
    Is this work with openvz OS ??
     
  15. Francisco

    Francisco Company Lube Verified Provider

    2,476
    1,770
    May 15, 2013
    This just stops your VM's from being used to DDOS other people, it won't stop NTP floods from hitting you straight in the face.

    Francisco
     
  16. VPSclub

    VPSclub New Member

    10
    4
    Jan 19, 2016
    Helpful tutorial, thanks.


    Is there any way to stop DNS amplification attack? Any tutorial on this, would be highly appreciated.