18

After some half-good script kiddies found out about this exploit or DDoS method, they have been doing it like crazy to websites, game servers, and now my home servers which allows me to work on some of my client's websites and different projects for people. My ISP is calling me, complaining about it and how it is using up a lot of their bandwidth. They are complaining that they are going to shut off my business plan service if it does not stop.

Also, all of my home servers run Fedora 17, PHP 5.5, Apache 2.6, MySQL 5.5.

How can I patch or block this method of attack?

  • 10
    Worth mentioning that you're probably not the target. You've probably got an exposed NTP server that's being exploited in the attack on the real target, making you collateral damage. – Mark Apr 23 '14 at 06:28
  • @Mark Who else would they be targeting when it is my own home network and servers there? –  Apr 23 '14 at 07:13
  • 5
    The NTP attacks are reflected DDoS attacks: the attacker sends a request to your server but lies about where it's coming from, causing your server to send a (very large) reply to the real target of the attack. – Mark Apr 23 '14 at 07:22
  • @Mark That I know of. They are using the method to attack my network or send traffic to it so I get DDoSed. I am trying to figure out how to stop this before I go insane –  Apr 23 '14 at 07:41
  • 4
    Get professional help. In the meantime, [this page](http://www.ntppool.org/join/configuration.html#management-queries) lists recommended ntpd configuration. And _please_ read http://www.catb.org/~esr/faqs/smart-questions.html – Martin Schröder Apr 23 '14 at 11:41
  • 1
    Everything said so far is speculation without knowing whether or not he is running an NTP server. He may be a legitimate target, or just an open relay. – David Houde Apr 24 '14 at 05:50

3 Answers3

28

As an immediate mitigation, shut down your NTP service until you can get it secured properly. Your computer's clock won't (or at least, shouldn't) drift too much in a day or two. You'll still be seeing the incoming requests, but your server won't be sending replies, so the overall traffic level should drop by 90% or more.

Since you're running a home server, you're probably not providing public NTP services. In this case, securing things is easy. You can block all incoming traffic to UDP port 123 at the firewall, or you can use the "UNIX ntpd" template here to configure ntpd to ignore incoming requests, or (better) do both.

Mark
  • 34,390
  • 9
  • 85
  • 134
10

NTP has one of the highest request to response size ratio, is over UDP, and as such is highly preferred as a method for reflective DNS amplification attacks. Cloudfare was recently the target of the largest attack of this type that exceeded 400Gb/s. They did a good write up on what it's like to be on the receiving end of this attack and how server admins can mitigate it. Check out the articles here (be sure to check out the comments):

http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

PTW-105
  • 1,377
  • 9
  • 7
5

One thing you can do in addition to the other answers is to contact the police - where I live, DDoS is just as bad as vandalism and is punishable by jail time, and/or other sanctions. Script kiddies or not, over here the police can requests information about the traffic from the ISP, if it's a script kiddie then its easy, they mostly attack from their parent's home network, and if its not and it uses proxies or botnets you can be assured they're not sending idiots after it.

Of course when the attack happens don't forget to disconnect whatever equipment is providing the network connection to your server.

Lighty
  • 2,368
  • 1
  • 23
  • 36
  • 4
    Unless you're suffering substantial losses (hundreds of thousands of dollars or more), going to the police is a waste of your time and theirs. In a reflected DDoS attack, the only address you know is that of the target, and most police forces are incapable of tracking the attack back to the real attacker. – Mark Apr 23 '14 at 19:28
  • 1
    i run a server myself, nd i have been attacked before, the only thing i had to do is request logs from my ISP, and submit my own logs to the polivce, within 2 hours of when the attack started, they were onscene at the attacker, he got fined 1200 euros, and got a mark – Lighty Apr 24 '14 at 07:08
  • @Lighty in what country do you live? – cantdutchthis Apr 24 '14 at 07:15
  • The Netherlands, Europe – Lighty Apr 24 '14 at 07:20