Today I noticed a high amount of outbound bandwidth and after a few hours of trying to track it down, it looks like it was being caused by my NTP server on my FreeBSD box. A tcpdump revealed the following:
I turned off the ntpd server and the traffic stopped. I had port 123 UDP forwarded on the firewall. I had set that up years ago and I don't believe I need it? I have now turned that off.
Is it possible to do a DoS attack using NTP? That would be new to me.
Code:
18:51:51.708284 IP (tos 0x0, ttl 64, id 5179, offset 0, flags [none], proto UDP (17), length 468)
192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
Reserved, Leap indicator: clock unsynchronized (192), Stratum 27 (reserved), poll 3s, precision 42
Root Delay: 6.001098, Root dispersion: 9.866180, Reference-ID: 0.3.94.202
Reference Timestamp: 0.000000001
Originator Timestamp: 3425369346.752563534 (2008/07/18 07:29:06)
Receive Timestamp: 1.720032155 (2036/02/07 01:28:17)
Transmit Timestamp: 0.000000000
Originator - Receive Timestamp: +869597950.967468619
Originator - Transmit Timestamp: +869597949.247436463
18:51:51.708318 IP (tos 0x0, ttl 64, id 5180, offset 0, flags [none], proto UDP (17), length 468)
192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
Reserved, Leap indicator: clock unsynchronized (192), Stratum 28 (reserved), poll 3s, precision 42
Root Delay: 6.001098, Root dispersion: 0.000000, Reference-ID: 0.11.217.223
Reference Timestamp: 0.000000000
Originator Timestamp: 1191617992.752563534 (1937/10/05 15:59:52)
Receive Timestamp: 1.699234426 (2036/02/07 01:28:17)
Transmit Timestamp: 0.000000000
Originator - Receive Timestamp: -1191617991.053329106
Originator - Transmit Timestamp: -1191617992.752563536
18:51:51.708352 IP (tos 0x0, ttl 64, id 5181, offset 0, flags [none], proto UDP (17), length 468)
192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
Reserved, Leap indicator: clock unsynchronized (192), Stratum 29 (reserved), poll 3s, precision 42
Root Delay: 6.001098, Root dispersion: 0.000030, Reference-ID: 0.27.148.169
Reference Timestamp: 0.000000000
Originator Timestamp: 3232235522.752563534 (2002/06/04 23:12:02)
Receive Timestamp: 1.001877010 (2036/02/07 01:28:17)
Transmit Timestamp: 0.000000000
Originator - Receive Timestamp: +1062731774.249313473
Originator - Transmit Timestamp: +1062731773.247436463
18:51:51.708385 IP (tos 0x0, ttl 64, id 5182, offset 0, flags [none], proto UDP (17), length 468)
192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
Reserved, Leap indicator: clock unsynchronized (192), Stratum 30 (reserved), poll 3s, precision 42
Root Delay: 6.001098, Root dispersion: 0.094879, Reference-ID: 0.35.104.97
Reference Timestamp: 0.000002965
Originator Timestamp: 3325715693.752563534 (2005/05/21 21:54:53)
Receive Timestamp: 1.001877070 (2036/02/07 01:28:17)
Transmit Timestamp: 0.000000000
Originator - Receive Timestamp: +969251603.249313533
Originator - Transmit Timestamp: +969251602.247436463
18:51:51.708419 IP (tos 0x0, ttl 64, id 5183, offset 0, flags [none], proto UDP (17), length 396)
192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 368
Reserved, Leap indicator: -1s (128), Stratum 31 (reserved), poll 3s, precision 42
Root Delay: 5.001098, Root dispersion: 1.317703, Reference-ID: 0.99.52.36
Reference Timestamp: 0.000000001
Originator Timestamp: 1165526542.752563534 (1936/12/07 16:22:22)
Receive Timestamp: 1.860595882 (2036/02/07 01:28:17)
Transmit Timestamp: 0.000000000
Originator - Receive Timestamp: -1165526540.891967654
Originator - Transmit Timestamp: -1165526542.752563536
I turned off the ntpd server and the traffic stopped. I had port 123 UDP forwarded on the firewall. I had set that up years ago and I don't believe I need it? I have now turned that off.
Is it possible to do a DoS attack using NTP? That would be new to me.