Re: neznámý provoz na venkovním rozhraní

Miroslav Prýmek m.prymek at gmail.com
Thu Jan 2 21:17:44 CET 2014


Dne 31. prosince 2013 14:04 Jindrich Fucik <fulda na seznam.cz> napsal(a):
> Jenom připomenu, že ntp je port 123 - čili je asitak druhej, kterej napadne
> mladého hackera při psaní svého programu (hned po 1234 a před 12345)

O Silvestru probihal DRDos utok pomoci aplifikace pres otevrene ntp servery:

Dne Út 31.pro.2013 10:14:16, ddos-response na nfoservers.com napsal(a):
> A public NTP server on your network participated in a very large-scale
> attack against a customer of ours today, generating UDP responses
> to spoofed requests with bogus timestamps that claimed to be from
> the attack target.
[...]
> If you have the ability to look at historical traffic data and
> determine the true source of the spoofed traffic, please also do
> this -- we'd love for this attacker himself to be shut down and for
> his ISP to fix its network configuration in order to stop others
> from spoofing. With the 10x amplification factor of NTP DRDoS
> attacks, it only takes one machine on an unfiltered 1 Gbps link to
> generate 10 Gbps of nearly untraceable attack traffic.

Ntpd ve FreeBSD ma v defaultu zakomentovane "restrict default ignore",
takze se dal v ramci tohodle utoku zneuzit (v defaultni konfiguraci,
na stroji bez firewallu).
http://svnweb.freebsd.org/base/release/9.2.0/etc/ntp.conf?view=markup

M.



More information about the Users-l mailing list