[Info-vax] Warning: Your VMS system may be attacking other systems

[Michael Moroney]

There is a NTP-based DDOS going on, and VMS systems will participate.

Recently, a friend wondered why the NTP process on his Alpha was racking
up hours of CPU time and zillions of I/Os.  Figuring it was a bug in NTP,
he stopped and restarted NTP a couple of times, to no effect.  Later he
and another friend figured it was part of a DDOS amplification attack. A
system on the internet sends a NTP query packet with the forged source of
a victim.  The target responds (to the victim) with packets many times
larger than the original query.  Doing this to many systems results in a
flood of data to the victim with little outgoing traffic from the bad guy.

Last night I noticed my TCPIP$NTP_1 process had racked up 2 1/2 hours of
CPU time and enough I/Os to run into the next column.  Looking at NTP, I
see some 600 systems on the internet (all likely zombies) had poked at NTP
on my system.  My system was participating in the DDOS.  I stopped NTP 
until I figure out what to do to exclude random attackers.

Anyway, if you are running a VMS system connected to the net, look at
your TCPIP$NTP_1 process, if it's racking up hours of CPU time and 
zillions of I/Os, it is likely participating.

I don't know what other OS's participate, but it's probably several, since
so many widgets use NTP to set time these days.

I'll reply to this when I find a good way to handle this.