Preventing Participation in Distributed Denial of Service
Over the past week, XMission has seen a sharp spike in Distributed Denial of Service (DDoS) attacks. These attacks utilize spoofing of requests over UDP services to servers that would otherwise believe they are coming from a trusted source. Essentially these unwitting servers act as amplifiers, taking in a few bytes of a command and spewing back multiples in output. The attacker spoofs the request as coming from an intended target, and servers all over the Internet respond in kind, filling the target’s connection with unrequested garbage data.
The two primary DDoS service targets are Domain Name Service (DNS) and Network Time Protocol (NTP). These can be implemented anywhere from on-purpose by a server administrator to an off-the-shelf wireless router. From now on, XMission will be proactively scanning for these servers and notifying customers. We also may proactively block outside DNS/NTP access to your IP address, so it can not be abused.
Here is how you can secure your network against these types of attacks.
- Stop running a DNS server for your network. Utilize the XMission DNS servers that have been hardened against these types of attacks. They are located at:
IPv4: 198.60.22.2 198.60.22.22
IPv6: 2607:fa18::1 2607:fa18::2 - If you would still like to run a DNS server for your own use, firewall it from access from the outside. This can be done by blocking inbound access to UDP port 53.
- If your DNS server is authoritative (serving DNS to the Internet for your domain), add “recursion no;” to your default view.
- If you are running BIND and you absolutely need outside access to your DNS servers, then apply the “rate limiting” patches located here.
- Stop running an NTP server for your network. Utilize the XMission NTP server that has been hardened against these types of attacks. It is located at:
DNS: clock.xmission.com
IPv4: 198.60.22.240
IPv4: 2607:fa18::2407 - Firewall your NTP server from outside access. This is done by blocking UDP port 123. This can cause problems if you are trying to sync with outside NTP servers, so you may want to exempt their IP addresses for access.
- If you are running ntpd, you can stop others from abusing the monitor command by adding the following lines to your ntp.conf:
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
Please feel free to contact XMission Support if you have any questions or concerns about DDoS attacks.
Science and Engineering Fair Judges Needed! Google Fiber in Salt Lake City?
Comments are currently closed.