2014年2月出現在歐洲的新攻擊方式,基本上跟 DNS DDOS 攻擊很像
http://technews.tw/2014/02/11/united-states-warning-through-scheduled-server-ntp-new-ddos-hack-attack-tactics/
http://ssorc.tw/?p=4236
http://blog.gslin.org/archives/2014/02/13/4254/%E6%9C%80%E8%BF%91%E7%9A%84-ntp-attack-%E7%9A%84%E6%AA%A2%E6%B8%AC/
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
http://www.computerweekly.com/news/2240214216/NTP-based-DDoS-attacks-a-concern-says-Cloudflare
解決辦法
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
Juniper 的設定方法,Firewall Filter (類似 Cisco ACL)
remote-login ( filter name )
allow-ntp、 deny-ntp ( term name )
set firewall family inet filter remote-login term allow-ntp from source-address 59.124.196.84/32 //設定來源IP
set firewall family inet filter remote-login term allow-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term allow-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term allow-ntp then accep //符合條件的話允許通過
下列的 term 不同,因為一個 port 只能套用一條 filter ,因此想要設定多項過濾設定就必須用 term 來做區分。
set firewall family inet filter remote-login term deny-ntp from protocol udp //設定來源協定
set firewall family inet filter remote-login term deny-ntp from destination-port ntp //目的地port
set firewall family inet filter remote-login term deny-ntp then discard //符合條件的話就阻擋
set interfaces lo0 unit 1 family inet filter input remote-login //套用在 lookback 1的 port 上
set system ntp server 59.124.196.84 prefer //設定 NTP Server IP ,prefer 為優先使用
set system ntp server 192.168.1.254 //設定 NTP Server IP
set system ntp source-address 192.168.1.1 //限制 NTP 的封包來源
上面是 switch 的設定,下列是 route的設定,只差在開頭不同。
set firewall filter ntp term allow-ntp from source-address 59.124.196.84/32
set firewall filter ntp term allow-ntp from protocol udp
set firewall filter ntp term allow-ntp from destination-port ntp
set firewall filter ntp term allow-ntp then accept
set firewall filter ntp term deny-ntp from protocol udp
set firewall filter ntp term deny-ntp from destination-port ntp
set firewall filter ntp term deny-ntp then discard
set firewall filter ntp term not-ntp then accept
