Page 1 of 1

Unusually high incomming NTP traffic, possiblly a DDOS attac

Posted: Tue Feb 03, 2015 1:18 pm
by lz1dsb
Yesterday I've got a strange behaviour on one of our routers. It's and edge router having a BGP session with one of our ISPs.
Anyway long story short - the device was unresponsive from its public IP address. I was able to ssh into the router from an internal server and immediately realized that there's an abnormally high incomming traffic on one of the interfaces.
/tool sniffer quick and I saw something disturbing:
sfp1         7.098 470055 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470056 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        210.61.198.205:123 (ntp)          
sfp1         7.098 470057 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp)          
sfp1         7.098 470058 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        125.212.95.2:123 (ntp)            
sfp1         7.098 470059 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        88.249.91.154:123 (ntp)           
sfp1         7.098 470060 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        89.228.4.42:123 (ntp)             
sfp1         7.098 470061 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        212.58.144.54:123 (ntp)           
sfp1         7.098 470062 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp)          
sfp1         7.098 470063 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        114.33.113.30:123 (ntp)           
sfp1         7.098 470064 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470065 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        203.186.84.166:123 (ntp)          
sfp1         7.098 470066 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470067 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        210.61.198.205:123 (ntp)          
sfp1         7.098 470068 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        82.222.57.82:123 (ntp)            
sfp1         7.098 470069 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp)          
sfp1         7.098 470070 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        41.72.99.79:123 (ntp)             
sfp1         7.098 470071 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        114.34.190.92:123 (ntp)           
sfp1         7.098 470072 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        203.115.131.98:123 (ntp)          
sfp1         7.098 470073 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        66.207.205.99:123 (ntp)           
sfp1         7.098 470074 <- 50:87:89:56:48:A1 D4:CA:6D:73:A5:90        211.76.126.213:123 (ntp) 
As it was critical to react quickly, I just went on and disabled the NTP client on the router. The suspicious inbound traffic dissappeared.
The question is, why is this at all happening. Here's my ntp client configuration along with an excerp from the firewall config:
> system ntp client print
enabled: no
primary-ntp: 193.79.237.14
secondary-ntp: 209.51.161.238
mode: unicast
21 ;;; NTP Server
chain=input action=accept src-address=209.51.161.238 log=no log-prefix=""

22 ;;; NTP Server
chain=input action=accept src-address=193.79.237.14 log=no log-prefix=""
The source IP addresses of both NTP servers are allowed into the input chain, which ends with "drop" everything else. The NTP server package is not even installed! Do I miss something? How was it possible for my public IP address to attract so much inbound NTP traffic?

Re: Unusually high incomming NTP traffic, possiblly a DDOS a

Posted: Tue Feb 03, 2015 1:34 pm
by emils
What routeros version are you using? Pre v6.24 versions are vulnerable to ntp ddos attacks - http://support.ntp.org/bin/view/Main/SecurityNotice

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Posted: Wed Feb 04, 2015 2:37 pm
by lz1dsb
This could be the case. I'm using version 6.20 on both CCRs at that location.
Is there a document by Mikrotik stating that vulnerability?

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Posted: Wed Feb 04, 2015 2:59 pm
by emils

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Posted: Sun Aug 09, 2015 7:38 pm
by lyovav22
Hi. I have same problem on router RB751G-2HnD (mipsbe)
high incoming NTP traffic up to 100MB
I need to help resolved this problem

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Posted: Thu Aug 13, 2015 7:46 pm
by lyovav22
Up...

Re: Unusually high incomming NTP traffic, possiblly a DDOS attac

Posted: Thu Aug 13, 2015 7:46 pm
by lyovav22
Hi. I have same problem on router RB751G-2HnD (mipsbe)
high incoming NTP traffic up to 100MB
I need to help resolved this problem
Up