NTP 482 NTP Version 2, private message

Operating System & Version
NTP 482 NTP Version 2, private
cPanel & WHM Version
v94.0.5

Bulent Tekcan

Well-Known Member
May 11, 2004
185
2
168
cPanel Access Level
Root Administrator
Hello,

I have also CSF but cannot be stopped. This attack sometimes coming from hundred of IP's. After that our server cannot be access. This attack only our mail IP. I closed all ports include NTP but didn't help. NTP also listen only local IP's.

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

My /etc/ntp.conf also include that line.

Any idea how to stop this attack ? At this time our target IP closed from Router.

Regards,
Bulent


139.880043136 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.882366931 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.884717429 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.887074679 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.889429325 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.891781180 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.894119032 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.896463335 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.898832206 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private
139.901198286 43.239.141.121 -> xxx.xxx.xxx.xxx NTP 482 NTP Version 2, private

Note: This screen from tshark...


This is also from tcpdump

19:42:23.402290 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.404172 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.406049 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.407936 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.409812 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.411686 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.413563 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
19:42:23.415436 IP po2.mia1-100.mia1.serverhub.com.ntp > mail.xxxxxxxxxxx.com.19838: NTPv2, Reserved, length 440
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,000
313
cPanel Access Level
Root Administrator
Hey there! If the attach is coming from hundreds of IPs, it is likely too large for you to mitigate with software. For this type of attack, it would be worth looking into external firewall options so you server itself doesn't have to try and handle the attack with a software firewall. There are also external tools such as Cloudflare that are able to deal with this in some situations: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
 
Thread starter Similar threads Forum Replies Date
V Security 4
M Security 1
Bashed Security 2
k2tec Security 4
P Security 11