CONTENTS
#contents
----
Lastmodified &lastmod;
----
*NTP-Reflection Attacks 2014/02/20 [#o1871232]
g7という機体で、kernelのアップデートをしたとき、再起動に随分と時間がかかって、

(あとから考えると、起動シークエンス中の時刻取得などがタイムアウトしていたのかも?)

 FreeBSD 9.1-RELEASE-p10

となるはずが、
 FreeBSD 9.1-RELEASE-p7
のままだった。で、なにげに、

cat /var/log/messages すると、

 Feb 20 08:43:42 g7 kernel: Limiting icmp unreach response from 257 to 200 packets/sec
 Feb 20 08:43:43 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec
 Feb 20 08:43:44 g7 kernel: Limiting icmp unreach response from 260 to 200 packets/sec
 Feb 20 08:43:45 g7 kernel: Limiting icmp unreach response from 251 to 200 packets/sec
 Feb 20 08:43:46 g7 kernel: Limiting icmp unreach response from 264 to 200 packets/sec
 Feb 20 08:43:47 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec
 Feb 20 08:43:48 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec
 Feb 20 08:43:49 g7 kernel: Limiting icmp unreach response from 257 to 200 packets/sec
 Feb 20 08:43:50 g7 kernel: Limiting icmp unreach response from 253 to 200 packets/sec

が、延々と出力されてる。が、帯域はそれほど喰われている訳ではない。で、

tcpdump -i em0 すると、

 08:44:36.394039 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.401899 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.402023 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.408995 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.411647 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.411772 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.420439 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.422227 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.434728 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32
 08:44:36.434852 IP ddos-guard.net.ntp > g7.kuji-clinic.net.ntp: NTPv2, Reserved, length 32

が、ドバーっと┐(´д`)┌ 

なので、/etc/ntp.conf を、

 restrict default ignore
 restrict 0.pool.ntp.org nomodify nopeer noquery notrap
 restrict 1.pool.ntp.org nomodify nopeer noquery notrap
 restrict 2.pool.ntp.org nomodify nopeer noquery notrap
 restrict 127.0.0.1
 restrict -6 ::1
 restrict 127.127.1.0

から

 server 0.freebsd.pool.ntp.org iburst
 server 1.freebsd.pool.ntp.org iburst
 server 2.freebsd.pool.ntp.org iburst
 
 disable monitor
 
 restrict default kod nomodify notrap nopeer noquery
 restrict -6 default kod nomodify notrap nopeer noquery
 restrict 127.0.0.1
 restrict -6 ::1
 restrict 127.127.1.0

http://www.atmarkit.co.jp/ait/articles/1401/15/news126.html

http://1118.me/?p=32315

へ、変更して、

 service ntpd restart

したら、「Limiting icmp unreach response」が止まりました。



 Feb 20 08:44:25 g7 kernel: Limiting icmp unreach response from 269 to 200 packets/sec
 Feb 20 08:44:26 g7 kernel: Limiting icmp unreach response from 260 to 200 packets/sec
 Feb 20 08:44:27 g7 kernel: Limiting icmp unreach response from 261 to 200 packets/sec
 Feb 20 08:44:28 g7 kernel: Limiting icmp unreach response from 253 to 200 packets/sec
 Feb 20 08:44:29 g7 kernel: Limiting icmp unreach response from 254 to 200 packets/sec
 Feb 20 08:44:30 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec
 Feb 20 08:44:31 g7 kernel: Limiting icmp unreach response from 252 to 200 packets/sec
 Feb 20 08:44:32 g7 kernel: Limiting icmp unreach response from 265 to 200 packets/sec
 Feb 20 08:44:33 g7 kernel: Limiting icmp unreach response from 263 to 200 packets/sec
 Feb 20 08:44:34 g7 kernel: Limiting icmp unreach response from 255 to 200 packets/sec
 Feb 20 08:44:35 g7 kernel: Limiting icmp unreach response from 263 to 200 packets/sec
 Feb 20 08:44:36 g7 ntpd[9295]: ntpd 4.2.4p5-a (1)
 Feb 20 08:44:48 g7 ntpd[9296]: time reset +3.451551 s
 Feb 20 08:45:40 g7 kernel: em0: promiscuous mode disabled
 root@g7:/root #

で、もう一回 freebsd-update してリブートしたら、

 FreeBSD 9.1-RELEASE-p10

にUPできました。でも、なんで??

*NTP-Reflection Attacks 2014/02/14 [#f631df10]
なんだか、ネットが劇重になってて、昔のISDNクラスの帯域にダウンしたような風味。

トラフィック見てみたら、80MBクラスの「何か」が帯域を喰ってる模様。Σ(⊙ω⊙ )
トラフィック見てみたら、40MBクラスの「何か」が帯域を喰ってる模様。Σ(⊙ω⊙ )

どうやら、これが、噂の「NTPanp攻撃」の様だ。ったく・・・(ーー;)


Open NTP Server の Reflection&AMP
http://nakacya.wordpress.com/type/aside/
#ref(20140214_NTP_Atack.PNG)

tcpdump でネットワークを観測すると、

 13:54:15.072076 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072079 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072081 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072084 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072086 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072089 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072091 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072094 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072097 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072099 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072101 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072104 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072106 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072109 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072111 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440
 13:54:15.072114 IP g7.kuji-clinic.net.ntp > www162.sedoparking.com.http: NTPv2, Reserved, length 440

なんとまぁ、length 440 なntp問い合わせで埋め尽くされているではあ~りませんか!(゚◇゚)ガーン

取り敢えず、対処!( ̄^ ̄)ゞ

/etc/ntp.conf を

 server ntp.jst.mfeed.ad.jp
 server 0.freebsd.pool.ntp.org iburst maxpoll 9
 server 1.freebsd.pool.ntp.org iburst maxpoll 9
 server 2.freebsd.pool.ntp.org iburst maxpoll 9

から、

 restrict default ignore
 restrict 0.pool.ntp.org nomodify nopeer noquery notrap
 restrict 1.pool.ntp.org nomodify nopeer noquery notrap
 restrict 2.pool.ntp.org nomodify nopeer noquery notrap
 restrict 127.0.0.1
 restrict -6 ::1
 restrict 127.127.1.0


へ変更して




 service ntpd restart
----
Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday);
#counter([total|today|yesterday]);

トップ   編集 差分 履歴 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS