Udp packets not filtered

Started by Aloist, November 17, 2019, 10:24:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2019, 10:24:31 AM
I have had a recent problem when one of our servers was incorrectly configured for ntp, and then was abused for
NTP Amplification DDoS Attack.
Because it gets ntp broadcasts from the Lan, it does not need to receive ntp packets from the Internet.

I have created a firewall rule, which on the WAN side blocks all incoming ntp packets to this server's IP, udp port 123.

But when I use tcpdump on the server to see incoming udp packets port 123, I still see massive amounts of them.
It seem that the firewall rule does not work.

What could be going on here?
November 17, 2019, 10:45:56 AM #1
I found the reason myself.
I had another, more general rule allowing incoming ntp packets. That rule took priority over the blocking rule.
November 18, 2019, 03:50:27 PM #2
configuring NTP for accepting broadcast is a BAD security implementation, also restrict the conf to only act like a client, by default it will reply to any NTP request, something like

driftfile /var/lib/ntp/drift

restrict default ignore
restrict -6 default ignore

restrict 127.0.0.1
restrict -6 ::1

server xx.xx.15.100 maxpoll 6 iburst
server xx.xx.15.101 maxpoll 6 iburst
server xx.xx.15.102 maxpoll 6 iburst
server xx.xx.15.103 maxpoll 6 iburst

restrict xx.xx.15.100 nomodify notrap nopeer noquery
restrict xx.xx.15.101 nomodify notrap nopeer noquery
restrict xx.xx.15.102 nomodify notrap nopeer noquery
restrict xx.xx.15.103 nomodify notrap nopeer noquery
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
Print
Go Up Pages1
User actions