Dealing with NTP reflection attacks in IPTables


We're dealing with an NTP reflection / amplification attack at our colocated servers. This question is specific to responding to NTP reflection attacks, and not directed at DDoS in general.

Here's the traffic:

router network traffic graph

It's churning a bit of CPU on our router:

router CPU usage graph

Unfortunately it is not big enough to cause our upstream provider to blackhole the traffic, which means it's passing through to us.

We've used the following rule to block the NTP traffic, which originates on port 123:

-p udp --sport 123 -j DROP

This is the first rule in IPTables.

I searched a lot, and I can't find very much information on how to use IPTables to mitigate a NTP reflection attack. And some of the information out there seems flat out incorrect. Is this IPTables rule correct? Is there anything else we can add, or do, to mitigate a NTP reflection / amplification attack other than contact our upstream network provider?

Also: since these attackers must be using networks that

  • allow spoofing of IP address in packets
  • have unpatched, circa 2010 NTP code

is there any global clearinghouse we can report these IP addresses to, so that they get fixed to stop allowing spoofed packets, and patch their NTP servers?

Best Answer

Essentially, you're outta luck if the DDoS attack manages to fill whatever pipe you have to the Internet (which is the purpose of any UDP reflection attack -- to fill the pipe). If your upstream link can take 1Gbps of traffic, and there's (say) 2Gbps of traffic total to go down the link, then half of it is going to be dropped by the router or switch that's putting the packets down the link. The attacker doesn't care that half of their attack traffic gets dropped, but your customers do: 50% packet loss in a TCP connection is going to do terrible, terrible things to the performance and reliability of those connections.

There are only two three ways to stop a volumetric DDoS attack:

  1. Have a big enough pipe that the attack traffic doesn't fill it.
  2. Stop the attack packets before they go down the pipe.
  3. Shift to a different IP address that isn't under NTP reflection attack.

Blocking them in iptables won't do squat, because by then the attack traffic has already squeezed out the legit traffic and caused it to be dropped on the floor, so the attacker has won. Since you (presumably) don't control the upstream router or switch that is forwarding the attack traffic, yes, you'll have to get in touch with your upstream network provider and have them do something to stop the attack traffic from reaching your network link, whether that be

  • block all traffic on the attack port (not something most ISPs are willing to do on their colo customer access routers, for $REASONS)

  • filter out the source IP addresses of the attack (more plausible, with S/RTBH, but not something that every provider already has available)

  • worst case, blackhole the destination IP address

Note that blackholing the IP only works if you've got other IP addresses that can continue operating -- if your provider blackholes your only IP address, the attacker has succeeded because you're off the Internet, which is what they were trying to achieve in the first place.

Related Topic