Premium Shogun 4584 Posted February 13, 2014 Premium Share Posted February 13, 2014 I copied parts of this file from a site that I long forgot, my apologies for not giving credits. They have been used in our server for years and at the very least I can confirm that they are not harmful. These system settings are intended to help defending your dedicated server against small DOS attacks. Be aware that they are NOT a substitute for proper (hardware) protection. Instructions: 1) ee /etc/sysctl.conf 2) Move to the end of the file and paste the following lines: net.inet.tcp.syncookies=1 net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=1 net.inet.tcp.nolocaltimewait=1 net.inet.tcp.syncache.rexmtlimit=1 net.inet.ip.check_interface=1 net.inet.ip.portrange.randomized=1 net.inet.ip.process_options=0 net.inet.ip.random_id=1 net.inet.ip.redirect=0 net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskfake=0 net.inet.icmp.maskrepl=0 net.inet.icmp.log_redirect=0 net.inet.icmp.drop_redirect=1 net.inet.tcp.drop_synfin=1 net.inet.tcp.ecn.enable=1 net.inet.tcp.fast_finwait2_recycle=1 net.inet.tcp.icmp_may_rst=0 net.inet.tcp.maxtcptw=15000 net.inet.tcp.msl=5000 net.inet.tcp.path_mtu_discovery=0 net.inet.tcp.rfc3042=0 net.inet.udp.blackhole=1 net.inet.tcp.blackhole=2 net.inet.ip.rtexpire=60 net.inet.ip.rtminexpire=2 net.inet.ip.rtmaxcache=1024 kern.ipc.shmmax=134217728 tcp.path_mtu_discovery=0 3) Save and run "service sysctl restart" for the settings to take effect. I suggest to combine these settings with rate limiting through pf for best effect. 5 Link to comment Share on other sites More sharing options...
Suspect 68 Posted February 14, 2014 Share Posted February 14, 2014 (edited) There are a new way to propagate DDOS attacks based on NTP (Network Time Protocol). The version avaliable on the FreeBSD ports is still vulnerable and they have disabled it wich made me unable to upgrade to the latest version. There are some articles about how to prevent "DDOS NTP Amplification". I've got mine disabled until it is upgraded on (FreeBSD Ports) to the latest version. Here's an image explaining how this type of attacks work using a Dedicated Server as an DDOS Amplificator throught the NTP vulnerability: Edited August 26, 2022 by Metin2 Dev Core X - External 2 Internal 1 Link to comment Share on other sites More sharing options...
Premium Shogun 4584 Posted February 14, 2014 Author Premium Share Posted February 14, 2014 Yeah I received a letter from Worldstream about it and changed some settings in ntpd.conf to disable the NTP server capabilities If you don't use ntp you aren't affected Link to comment Share on other sites More sharing options...
Rumor 2603 Posted February 14, 2014 Share Posted February 14, 2014 I've recently been under NTP attacks too. though when checking "service ntpd onestatus" I was informed ntpd isn't even running..? Probably because it isn't set to run in rc.conf? Link to comment Share on other sites More sharing options...
Sober 37 Posted March 10, 2014 Share Posted March 10, 2014 I have had a huge problem with ntp attacks too and i didn't find any solution. Also my webhosting company kicked me out just because they were unable to filter it -.- If anyone can make a tutorial on how to completely remove it it would be nice. I don't see any reason of using it if i can set the time on my own. Edit: @Shogun how does worldstream allow you to host your server there?I thought with a simple fake dmca letter anyone could take down a metin2 server hosted there. Link to comment Share on other sites More sharing options...
Rumor 2603 Posted March 10, 2014 Share Posted March 10, 2014 they can, I also don't understand why he likes worldstream.. several people have been shut down there, including me with AlpineMT2. Link to comment Share on other sites More sharing options...
Premium Shogun 4584 Posted March 11, 2014 Author Premium Share Posted March 11, 2014 Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too. 1 Link to comment Share on other sites More sharing options...
Sober 37 Posted March 11, 2014 Share Posted March 11, 2014 Worldstream is great for cheap dedicated servers for test stuff which you don't need protected. Very solid hardware too. Yes that's true. Anyways if anyone could do a tutorial on how to remove ntp completely it would be nice because i have upgraded to FreeBSD 10.0 and i was still vulnerable.Also i have tried upgrading to the latest version which was 4.2.6 instead of 4.2.7 i don't know why :S Link to comment Share on other sites More sharing options...
Premium Shogun 4584 Posted March 12, 2014 Author Premium Share Posted March 12, 2014 Just remove it from rc.conf, or if you want to use NTP but not be vulnerable to your machine getting used for reflection attacks, edit /etc/ntpf.conf and uncomment the line that says "restrict default ignore". 1 Link to comment Share on other sites More sharing options...
Recommended Posts