Re: Unusual outbound traffic on NetBSD 5_Stable Firewall

To: "Eric Schnoebelen" <eric%cirr.com@localhost>
Subject: Re: Unusual outbound traffic on NetBSD 5_Stable Firewall
From: yancm%SDF.ORG@localhost
Date: Sat, 4 Jan 2014 16:06:13 -0500

> "Eric Schnoebelen" <eric%cirr.com@localhost> writes:
> yancm%SDF.ORG@localhost writes:
> - Just recently my network started coming to a crawl and I noticed high
> - outbound traffic on my outward facing interface wm0 with no reciprocal
> - traffic from my home network on wm1.
> It sounds a bit like an amplification attack..
> Are you running ntp on the firewall?  Is it allowing/accepting
> connections from the public network?
> I ask because I've seen several of my own systems used as amplifiers
> in NTP amplification DDOS attacks on others.  (in the process,
> saturating my uplinks, effectively DOSing my networks.. :( )

Yes, ntpd, promiscuous...bad me...

Eric, yourself and Martin Husemann both pointed to the same thing.
I killed the process and added the flag -I wm1 so it only listens
inside as intended. I saw an immediate drop in traffic so it looks
like my ntp was being use as you say.

thanks to both of you for the quick responses!

Prev by Date: Re: Unusual outbound traffic on NetBSD 5_Stable Firewall
Next by Date: I need a tool to manipulate a large pdf file
Previous by Thread: Re: Unusual outbound traffic on NetBSD 5_Stable Firewall
Next by Thread: I need a tool to manipulate a large pdf file
Indexes:

Home | Main Index | Thread Index | Old Index