![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
CONTENTS
Lastmodified 2014-02-21 (金) 16:29:36
g7という機体で、kernelのアップデートをしたとき、再起動に随分と時間がかかって、
(あとから考えると、起動シークエンス中の時刻取得などがタイムアウトしていたのかも?)
FreeBSD 9.1-RELEASE-p10
となるはずが、
FreeBSD 9.1-RELEASE-p7
のままだった。で、なにげに、
cat /var/log/messages すると、
Feb 20 08:43:42 g7 kernel: Limiting icmp unreach response from 257 to 200 packets/sec Feb 20 08:43:43 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec Feb 20 08:43:44 g7 kernel: Limiting icmp unreach response from 260 to 200 packets/sec Feb 20 08:43:45 g7 kernel: Limiting icmp unreach response from 251 to 200 packets/sec Feb 20 08:43:46 g7 kernel: Limiting icmp unreach response from 264 to 200 packets/sec Feb 20 08:43:47 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec Feb 20 08:43:48 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec Feb 20 08:43:49 g7 kernel: Limiting icmp unreach response from 257 to 200 packets/sec Feb 20 08:43:50 g7 kernel: Limiting icmp unreach response from 253 to 200 packets/sec
が、延々と出力されてる。が、帯域はそれほど喰われている訳ではない。で、
tcpdump -i em0 すると、
08:44:36.394039 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.401899 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.402023 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.408995 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.411647 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.411772 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.420439 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.422227 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.434728 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32 08:44:36.434852 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
が、ドバーっと┐(´д`)┌
なので、/etc/ntp.conf を、
restrict default ignore restrict 0.pool.ntp.org nomodify nopeer noquery notrap restrict 1.pool.ntp.org nomodify nopeer noquery notrap restrict 2.pool.ntp.org nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0
から
server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst disable monitor restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0
http://www.atmarkit.co.jp/ait/articles/1401/15/news126.html
へ、変更して、
service ntpd restart
したら、「Limiting icmp unreach response」が止まりました。
Feb 20 08:44:25 g7 kernel: Limiting icmp unreach response from 269 to 200 packets/sec Feb 20 08:44:26 g7 kernel: Limiting icmp unreach response from 260 to 200 packets/sec Feb 20 08:44:27 g7 kernel: Limiting icmp unreach response from 261 to 200 packets/sec Feb 20 08:44:28 g7 kernel: Limiting icmp unreach response from 253 to 200 packets/sec Feb 20 08:44:29 g7 kernel: Limiting icmp unreach response from 254 to 200 packets/sec Feb 20 08:44:30 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec Feb 20 08:44:31 g7 kernel: Limiting icmp unreach response from 252 to 200 packets/sec Feb 20 08:44:32 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec Feb 20 08:44:33 g7 kernel: Limiting icmp unreach response from 263 to 200 packets/sec Feb 20 08:44:34 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec Feb 20 08:44:35 g7 kernel: Limiting icmp unreach response from 263 to 200 packets/sec Feb 20 08:44:36 g7 ntpd[9295]: ntpd 4.2.4p5-a (1) Feb 20 08:44:48 g7 ntpd[9296]: time reset +3.451551 s Feb 20 08:45:40 g7 kernel: em0: promiscuous mode disabled root@g7:/root #
で、もう一回 freebsd-update してリブートしたら、
FreeBSD 9.1-RELEASE-p10
にUPできました。でも、なんで??
なんだか、ネットが劇重になってて、昔のISDNクラスの帯域にダウンしたような風味。
トラフィック見てみたら、40MBクラスの「何か」が帯域を喰ってる模様。Σ(⊙ω⊙ )
どうやら、これが、噂の「NTPanp攻撃」の様だ。ったく・・・(ーー;)
Open NTP Server の Reflection& http://nakacya.wordpress.com/type/aside/
tcpdump でネットワークを観測すると、
13:54:15.072076 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072079 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072081 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072084 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072086 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072089 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072091 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072094 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072097 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072099 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072101 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072104 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072106 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072109 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072111 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440 13:54:15.072114 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
なんとまぁ、length 440 なntp問い合わせで埋め尽くされているではあ~りませんか!(゚◇゚)ガーン
取り敢えず、対処!( ̄^ ̄)ゞ
/etc/ntp.conf を
server ntp.jst.mfeed.ad.jp server 0.freebsd.pool.ntp.org iburst maxpoll 9 server 1.freebsd.pool.ntp.org iburst maxpoll 9 server 2.freebsd.pool.ntp.org iburst maxpoll 9
から、
restrict default ignore restrict 0.pool.ntp.org nomodify nopeer noquery notrap restrict 1.pool.ntp.org nomodify nopeer noquery notrap restrict 2.pool.ntp.org nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0
へ変更して
service ntpd restart
Total access 2539:本日 1:昨日 0
20140214_NTP_Atack.PNG