This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About aaronm
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About aaronm
11-14-2018
7Posts
1Like
0Solutions
Nov 14, 2018Last Visited
User
Activity
User
Profile
Latest posts by aaronm
| Subject | Views | Posted |
|---|---|---|
| 3723 | 02-06-2014 10:42 AM | |
| 3723 | 02-06-2014 10:40 AM | |
| 3833 | 01-22-2014 01:55 PM | |
| 3833 | 01-22-2014 10:39 AM | |
| 3998 | 01-22-2014 07:44 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-22-2014 07:44 AM |
User Badges
Community Statistics
| Member Since | 04-24-2012 08:15 AM |
| Date Last Visited | 11-14-2018 01:08 PM |
| Posts | 7 |
| Total Likes Received | 1 |
02-06-2014
10:42 AM
For a custom signature, only ever built one that used existing vulnerabilities. Since those are not triggering in this case, how could I define a new one based simply on the fact that it is recognized as a NTP application?
... View more
02-06-2014
10:40 AM
The problem with this signature is that it's not what's being triggered in this case. In fact, none of the NTP vulnerabilities were getting triggered. It showed up instead as traffic and application "NTP". Blocking anything but legitimate is easier said than done here - being a university with a lot of scientists and research going on, it may take the security teams weeks or months to determine what is officially needed vs. wanted.
... View more
01-22-2014
01:55 PM
Yes - I was looking into it and that was the approach that I was going to try taking. The catch is, we only want this applied on a per IP basis, not to all traffic using UDP 123, or again, with over 40K devices, that threshold would be overrun very quickly. It would be better if PAN could define a new brute-force vulnerability for NTP so that it could be setup with a configurable threshold, and then an action be picked as a result. Until that happens though (or if it happens at all) the DoS method may be the only thing I have to use against it.
... View more
01-22-2014
10:39 AM
Hmm... that might work if I can create a firewall rule to limit such DoS protection to only the NTP traffic - applying that to the campus traffic as a whole would seriously break things.
... View more
01-22-2014
07:44 AM
1 Kudo
Our campus has been getting a lot of NTP DDoS attacks of late. While the simple solution would be to shut it down except for necessary systems, the problem (as per usual in public-sector) is that everyone seems to want to run something that uses it and complains if we start blocking. Looking at the attacks, it's very easy to see the difference between a legitimate NTP query (1 or 2 packets) and an attack. My question is: Is there a way to define a threshold-based filter that will drop or block the attack as with brute-force type attacks? That would solve all of the issues.
... View more
Labels:
- Labels:
-
Configuration
-
Panorama
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks