[Info-vax] Warning: Your VMS system may be attacking other systems

Sat Feb 1 12:33:14 EST 2014

In article <lcj4ia$1aq$2 at pcls7.std.com>,
	moroney at world.std.spaamtrap.com (Michael Moroney) writes:
> There is a NTP-based DDOS going on, and VMS systems will participate.
> 
> Recently, a friend wondered why the NTP process on his Alpha was racking
> up hours of CPU time and zillions of I/Os.  Figuring it was a bug in NTP,
> he stopped and restarted NTP a couple of times, to no effect.  Later he
> and another friend figured it was part of a DDOS amplification attack. A
> system on the internet sends a NTP query packet with the forged source of
> a victim.  The target responds (to the victim) with packets many times
> larger than the original query.  Doing this to many systems results in a
> flood of data to the victim with little outgoing traffic from the bad guy.
> 
> Last night I noticed my TCPIP$NTP_1 process had racked up 2 1/2 hours of
> CPU time and enough I/Os to run into the next column.  Looking at NTP, I
> see some 600 systems on the internet (all likely zombies) had poked at NTP
> on my system.  My system was participating in the DDOS.  I stopped NTP 
> until I figure out what to do to exclude random attackers.
> 
> Anyway, if you are running a VMS system connected to the net, look at
> your TCPIP$NTP_1 process, if it's racking up hours of CPU time and 
> zillions of I/Os, it is likely participating.
> 
> I don't know what other OS's participate, but it's probably several, since
> so many widgets use NTP to set time these days.
> 
> I'll reply to this when I find a good way to handle this.

How about blocking all ntp traffic both in and out at your firewall
except for the specific address of your ntp peers?

bill

-- 
Bill Gunshannon          |  de-moc-ra-cy (di mok' ra see) n.  Three wolves
billg999 at cs.scranton.edu |  and a sheep voting on what's for dinner.
University of Scranton   |
Scranton, Pennsylvania   |         #include <std.disclaimer.h>   