Tag Archives: kulish

NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

At the height of the attack, from our perspective, we pushed 24GB (Byte not Bit) of NTP traffic in 24 hours (not much by all accounts, but enough to help with the damage the asshat was trying to cause).

One clock was misconfigured, noquery had been commented out (likely for initial testing). This has been fixed.

nginx+observium configuration

Update to index.php in observium to work with nginx.

Change from:

$_SERVER[‘PATH_INFO’] = (isset($_SERVER[‘PATH_INFO’]) ? $_SERVER[‘PATH_INFO’] : $_SERVER[‘ORIG_PATH_INFO’]);

Change to:

$_SERVER[‘PATH_INFO’] = $_SERVER[‘REQUEST_URI’];

nginx site configuration:

server {
listen 80;
server_name hostname.kulish.com;

access_log /var/log/nginx/hostname.kulish.com.acc.log;
error_log /var/log/nginx/hostname.kulish.com.err.log;

root /www/observium/html;
index index.php;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}

location / {
try_files $uri $uri/ @observium;
}

location @observium {
rewrite ^(.+)$ /index.php/$1/ last;
}

}

# General php settings
include php.conf;

# We need to exclude robots.txt specifically
include drop.conf;

php.conf contents:

location ~ \.php {
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;
}

I am connecting to a php5-fpm socket to avoid TCP overhead.

drop.conf contents:

# Drop from logging and accidental access

location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }