Community discussions

 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Unusually high incomming NTP traffic, possiblly a DDOS attac

Tue Feb 03, 2015 1:18 pm

Yesterday I've got a strange behaviour on one of our routers. It's and edge router having a BGP session with one of our ISPs.
Anyway long story short - the device was unresponsive from its public IP address. I was able to ssh into the router from an internal server and immediately realized that there's an abnormally high incomming traffic on one of the interfaces.
/tool sniffer quick and I saw something disturbing:
sfp1         7.098 470055 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470056 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        210.61.198.205:123 (ntp)          
sfp1         7.098 470057 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp)          
sfp1         7.098 470058 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        125.212.95.2:123 (ntp)            
sfp1         7.098 470059 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        88.249.91.154:123 (ntp)           
sfp1         7.098 470060 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        89.228.4.42:123 (ntp)             
sfp1         7.098 470061 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        212.58.144.54:123 (ntp)           
sfp1         7.098 470062 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp)          
sfp1         7.098 470063 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        114.33.113.30:123 (ntp)           
sfp1         7.098 470064 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470065 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        203.186.84.166:123 (ntp)          
sfp1         7.098 470066 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470067 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        210.61.198.205:123 (ntp)          
sfp1         7.098 470068 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470069 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp)          
sfp1         7.098 470070 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        41.72.99.79:123 (ntp)             
sfp1         7.098 470071 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        114.34.190.92:123 (ntp)           
sfp1         7.098 470072 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        203.115.131.98:123 (ntp)          
sfp1         7.098 470073 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        66.207.205.99:123 (ntp)           
sfp1         7.098 470074 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp) 
As it was critical to react quickly, I just went on and disabled the NTP client on the router. The suspicious inbound traffic dissappeared.
The question is, why is this at all happening. Here's my ntp client configuration along with an excerp from the firewall config:
> system ntp client print
enabled: no
primary-ntp: 193.79.237.14
secondary-ntp: 209.51.161.238
mode: unicast
21 ;;; NTP Server
chain=input action=accept src-address=209.51.161.238 log=no log-prefix=""

22 ;;; NTP Server
chain=input action=accept src-address=193.79.237.14 log=no log-prefix=""
The source IP addresses of both NTP servers are allowed into the input chain, which ends with "drop" everything else. The NTP server package is not even installed! Do I miss something? How was it possible for my public IP address to attract so much inbound NTP traffic?
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 507
Joined: Thu Dec 11, 2014 8:53 am

Re: Unusually high incomming NTP traffic, possiblly a DDOS a

Tue Feb 03, 2015 1:34 pm

What routeros version are you using? Pre v6.24 versions are vulnerable to ntp ddos attacks - http://support.ntp.org/bin/view/Main/SecurityNotice
 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Wed Feb 04, 2015 2:37 pm

This could be the case. I'm using version 6.20 on both CCRs at that location.
Is there a document by Mikrotik stating that vulnerability?
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 507
Joined: Thu Dec 11, 2014 8:53 am

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Wed Feb 04, 2015 2:59 pm

 
lyovav22
just joined
Posts: 4
Joined: Sun Aug 09, 2015 7:31 pm

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Sun Aug 09, 2015 7:38 pm

Hi. I have same problem on router RB751G-2HnD (mipsbe)
high incoming NTP traffic up to 100MB
I need to help resolved this problem
You do not have the required permissions to view the files attached to this post.
 
lyovav22
just joined
Posts: 4
Joined: Sun Aug 09, 2015 7:31 pm

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Thu Aug 13, 2015 7:46 pm

Up...
 
lyovav22
just joined
Posts: 4
Joined: Sun Aug 09, 2015 7:31 pm

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Thu Aug 13, 2015 7:46 pm

Hi. I have same problem on router RB751G-2HnD (mipsbe)
high incoming NTP traffic up to 100MB
I need to help resolved this problem
Up

Who is online

Users browsing this forum: No registered users and 98 guests