Transmission

XMission's Company Journal

Preventing Participation in Distributed Denial of Service

18 Feb, 2014 Pete Ashdown Security & Safety, Tips & Helpful Information

Over the past week, XMission has seen a sharp spike in Distributed Denial of Service (DDoS) attacks. These attacks utilize spoofing of requests over UDP services to servers that would otherwise believe they are coming from a trusted source. Essentially these unwitting servers act as amplifiers, taking in a few bytes of a command and spewing back multiples in output. The attacker spoofs the request as coming from an intended target, and servers all over the Internet respond in kind, filling the target’s connection with unrequested garbage data.

The two primary DDoS service targets are Domain Name Service (DNS) and Network Time Protocol (NTP). These can be implemented anywhere from on-purpose by a server administrator to an off-the-shelf wireless router. From now on, XMission will be proactively scanning for these servers and notifying customers. We also may proactively block outside DNS/NTP access to your IP address, so it can not be abused.

Here is how you can secure your network against these types of attacks.

  1. Stop running a DNS server for your network. Utilize the XMission DNS servers that have been hardened against these types of attacks. They are located at:
    IPv4: 198.60.22.2 198.60.22.22
    IPv6: 2607:fa18::1 2607:fa18::2
  2. If you would still like to run a DNS server for your own use, firewall it from access from the outside. This can be done by blocking inbound access to UDP port 53.
  3. If your DNS server is authoritative (serving DNS to the Internet for your domain), add “recursion no;” to your default view.
  4. If you are running BIND and you absolutely need outside access to your DNS servers, then apply the “rate limiting” patches located here.
  5. Stop running an NTP server for your network. Utilize the XMission NTP server that has been hardened against these types of attacks. It is located at:
    DNS: clock.xmission.com
    IPv4: 198.60.22.240
    IPv4: 2607:fa18::2407
  6. Firewall your NTP server from outside access. This is done by blocking UDP port 123. This can cause problems if you are trying to sync with outside NTP servers, so you may want to exempt their IP addresses for access.
  7. If you are running ntpd, you can stop others from abusing the monitor command by adding the following lines to your ntp.conf:
    restrict -4 default kod notrap nomodify nopeer noquery
    restrict -6 default kod notrap nomodify nopeer noquery
    restrict 127.0.0.1
    restrict ::1

Please feel free to contact XMission Support if you have any questions or concerns about DDoS attacks.

Facebooktwitterredditpinterestlinkedinmail

, , ,

Comments are currently closed.

XMission Links + Resources

XMission.com Live Support Chat User Login Support Wiki

Recent Posts

Archives

Subscribe + Follow

Sign up to receive breaking news as well as receive other site updates. Alternatively you can subscribe to our RSS feed or follow us at Twitter.