Fucking amplified NTP attacks!


After a half year we are found one solution to reject NTP amplified attacks with iptables and ipfw. Simple

iptables -A FORWARD -p udp -m udp --dport 123 -m u32 --u32 "0x1c=0x1700032a&&0x20=0x0" -m comment --comment "NTP amplification packets" -j DROP

iptables -A FORWARD -p udp -m udp --dport 123 -m u32 --u32 "0x0>>0x16&0x3c@0x8&0xff=0x2a" -m comment --comment "NTP amplification packets" -j DROP

ipfw deny udp from any to any dst-port 123 iplen 0-75

Leave a Reply