This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

NTP attacks - threshold-based blocks?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NTP attacks - threshold-based blocks?

aaronm
L1 Bithead

‎01-22-2014 07:44 AM

Our campus has been getting a lot of NTP DDoS attacks of late.  While the simple solution would be to shut it down except for necessary systems, the problem (as per usual in public-sector) is that everyone seems to want to run something that uses it and complains if we start blocking.

Looking at the attacks, it's very easy to see the difference between a legitimate NTP query (1 or 2 packets) and an attack.   My question is: Is there a way to define a threshold-based filter that will drop or block the attack as with brute-force type attacks?  That would solve all of the issues.

Labels:
9 REPLIES 9

Phoenix
L4 Transporter

‎01-22-2014 10:24 AM

Hello aaronm,

We can have a threshold based filter with respect to the sessions. In DOS protection profile we can set the Resource Protection to lets say 10 sessions, any traffic coming more than 10 sessions at a time is blocked and we can see the results in global counters.

This is purely used in scenarios where a specific traffic is bombarded. But if anything less than 10 sessions or 10 new packets it allows.

In the DOS rule we can configure the source and destination zone and source and destination IPs accordingly to narrow down right to the attacker.

dos-res.PNG.png

Hope this helps.

0 Likes Likes

aaronm
L1 Bithead
In response to Phoenix

‎01-22-2014 10:39 AM

Hmm... that might work if I can create a firewall rule to limit such DoS protection to only the NTP traffic - applying that to the campus traffic as a whole would seriously break things.

0 Likes Likes

Phoenix
L4 Transporter
In response to aaronm

‎01-22-2014 12:15 PM

In the DOS rule we have an option to specify the service. We can provide port 123 for NTP and that should help by not matching all other campus traffic and only NTP.

Thanks

0 Likes Likes

aaronm
L1 Bithead
In response to Phoenix

‎01-22-2014 01:55 PM

Yes - I was looking into it and that was the approach that I was going to try taking.  The catch is, we only want this applied on a per IP basis, not to all traffic using UDP 123, or again, with over 40K devices, that threshold would be overrun very quickly.

It would be better if PAN could define a new brute-force vulnerability for NTP so that it could be setup with a configurable threshold, and then an action be picked as a result.  Until that happens though (or if it happens at all) the DoS method may be the only thing I have to use against it.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks