![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
CONTENTS #contents ---- Lastmodified &lastmod; ---- *NTP-Reflection Attacks 2014/02/20 [#o1871232] g7という機体で、kernelのアップデートをしたとき、再起動に随分と時間がかかって、 (あとから考えると、起動シークエンス中の時刻取得などがタイムアウトしていたのかも?) FreeBSD 9.1-RELEASE-p10 となるはずが、 FreeBSD 9.1-RELEASE-p7 のままだった。で、なにげに、 cat /var/log/messages すると、 Feb 20 08:43:42 g7 kernel: Limiting icmp unreach response from 257 to 200 packets/sec Feb 20 08:43:43 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec Feb 20 08:43:44 g7 kernel: Limiting icmp unreach response from 260 to 200 packets/sec Feb 20 08:43:45 g7 kernel: Limiting icmp unreach response from 251 to 200 packets/sec Feb 20 08:43:46 g7 kernel: Limiting icmp unreach response from 264 to 200 packets/sec Feb 20 08:43:47 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec Feb 20 08:43:48 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec Feb 20 08:43:49 g7 kernel: Limiting icmp unreach response from 257 to 200 packets/sec Feb 20 08:43:50 g7 kernel: Limiting icmp unreach response from 253 to 200 packets/sec が、延々と出力されてる。が、帯域はそれほど喰われている訳ではない。で、 tcpdump -i em0 すると、 08:44:36.394039 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.401899 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.402023 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.408995 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.411647 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.411772 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.420439 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.422227 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.434728 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.434852 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 が、ドバーっと┐(´д`)┌ なので、/etc/ntp.conf を、 restrict default ignore restrict 0.pool.ntp.org nomodify nopeer noquery notrap restrict 1.pool.ntp.org nomodify nopeer noquery notrap restrict 2.pool.ntp.org nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 から server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst disable monitor restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 http://www.atmarkit.co.jp/ait/articles/1401/15/news126.html http://1118.me/?p=32315 へ、変更して、 service ntpd restart したら、「Limiting icmp unreach response」が止まりました。 Feb 20 08:44:25 g7 kernel: Limiting icmp unreach response from 269 to 200 packets/sec Feb 20 08:44:26 g7 kernel: Limiting icmp unreach response from 260 to 200 packets/sec Feb 20 08:44:27 g7 kernel: Limiting icmp unreach response from 261 to 200 packets/sec Feb 20 08:44:28 g7 kernel: Limiting icmp unreach response from 253 to 200 packets/sec Feb 20 08:44:29 g7 kernel: Limiting icmp unreach response from 254 to 200 packets/sec Feb 20 08:44:30 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec Feb 20 08:44:31 g7 kernel: Limiting icmp unreach response from 252 to 200 packets/sec Feb 20 08:44:32 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec Feb 20 08:44:33 g7 kernel: Limiting icmp unreach response from 263 to 200 packets/sec Feb 20 08:44:34 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec Feb 20 08:44:35 g7 kernel: Limiting icmp unreach response from 263 to 200 packets/sec Feb 20 08:44:36 g7 ntpd[9295]: ntpd 4.2.4p5-a (1) Feb 20 08:44:48 g7 ntpd[9296]: time reset +3.451551 s Feb 20 08:45:40 g7 kernel: em0: promiscuous mode disabled root@g7:/root # で、もう一回 freebsd-update してリブートしたら、 FreeBSD 9.1-RELEASE-p10 にUPできました。でも、なんで?? *NTP-Reflection Attacks 2014/02/14 [#f631df10] なんだか、ネットが劇重になってて、昔のISDNクラスの帯域にダウンしたような風味。 トラフィック見てみたら、80MBクラスの「何か」が帯域を喰ってる模様。Σ(⊙ω⊙ ) トラフィック見てみたら、40MBクラスの「何か」が帯域を喰ってる模様。Σ(⊙ω⊙ ) どうやら、これが、噂の「NTPanp攻撃」の様だ。ったく・・・(ーー;) Open NTP Server の Reflection& http://nakacya.wordpress.com/type/aside/ #ref(20140214_NTP_Atack.PNG) tcpdump でネットワークを観測すると、 13:54:15.072076 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072079 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072081 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072084 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072086 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072089 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072091 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072094 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072097 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072099 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072101 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072104 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072106 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072109 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072111 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072114 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 なんとまぁ、length 440 なntp問い合わせで埋め尽くされているではあ~りませんか!(゚◇゚)ガーン 取り敢えず、対処!( ̄^ ̄)ゞ /etc/ntp.conf を server ntp.jst.mfeed.ad.jp server 0.freebsd.pool.ntp.org iburst maxpoll 9 server 1.freebsd.pool.ntp.org iburst maxpoll 9 server 2.freebsd.pool.ntp.org iburst maxpoll 9 から、 restrict default ignore restrict 0.pool.ntp.org nomodify nopeer noquery notrap restrict 1.pool.ntp.org nomodify nopeer noquery notrap restrict 2.pool.ntp.org nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 へ変更して service ntpd restart ---- Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday); #counter([total|today|yesterday]);
