I once tried a denial of service attack on my friend. I knew he has a 32 bit computer, so I tried to send him a Facebook message 2^32 characters long thinking that it would crash his computer (and possibly lead to a blue screen of death). My computer crashed before I could send the message.
Somebody should make a video. 3 guys are sitting in a room. Guy 1 puts on a mask that looks like guy 3 Guy 1 whispers "Monlist" to guy 2 Guy 2 throws a huge stack of paper at guy 3
A funny story from fall semester during the 2020 pandemic: because my university's classes were all online, one of my professors set up a website on a server he physically owned in his basement that he would upload assignments on. Turns out that was a bad idea because after every class when he would give us this week's assignment, he would get kicked offline from every student downloading from his server at the same time.
This reminds me of a project we had to do for University. We had to build a database driven web application. However, in order to fill our database, we were required to get our data from websites. In the end, it turned out that at least 5 groups were mass scraping the same website during a few weekends. Even though we never meant it to be a DOS attack, the poor server was in trouble.
"What time is it?" Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?* Server: *You want to know the time?*
"How can you protect your servers? The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packetts (which includes monlist). By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack."
That "monlist" command sounds like something that exists for debugging, and should require special permission to use. Even without the DoS attack part, it seems like a massive privacy/security violation to just let anyone anywhere ask for a list of everyone who has accessed something. My guess is that if it wasn't just an accident that it was left in, they left it in because removing it would break something. "We can't fix it because something else needs it to stay exactly the same" is a thing in programming.
Very very good explanation! I work for a company with a reasonable sized network (couple of gbits) and own datacenter. For a while now we get multiple abuse reports a day for exactly this type of attack. Sending in these abuse reports is actually useful, as we will block customers after receiving too many reports and not seeing any action on their part.
It sounds like you work for a server/VPS provider. If that's the case, you should look into some automated network monitoring software. Depending on your infrastructure there's most likely free ways of doing so, and if you're company's a decent size, it could afford the cost of some of the better solutions. In the long run, you'd save money from having to manually deal with those situations. And who knows... Maybe management would be appreciative of your recommendation. Might get a nice bonus/raise? :)
An an employee of a local ISP, we've been seeing these NTP attacks on a high-bandwidth customer of ours for some time now. We definitely notice. I believe we've simply blocked NTP from outside sources and are only allowing a select few popular ones, but that's slightly above me.
Two things I'd like to point out: 1. You can spoof the IPv4/IPv6 address for any IP-based protocol (TCP, ICMP, IGMP, etc.), not just UDP. 2. It's the ISP's job to drop packets that have a spoofed source address as they know exactly where the packet came from (based on MAC address), and even the big routing services have some level of detecting whether or not a source address is spoofed.
Actually you can do a couple of things: 1) Replication 2) Distributed Caching 3) Content Delivery Networks (a.g. Akamai) Theese are all expensive things, but if you are under a DDoS attack, you probably have enough money to pay for these services :)
@DerpTrolling on twitter currently holds the world record for the biggest DoS attack ever, it maxed out at over 420Gb/s and was against a company who wanted to test their infrastructure...They also delayed the customization packs for CoD by knocking the DNS servers that send the files, as wekk as every single LoL server, which is why they have had so much down time recently...
Thanks for explaining the difference between TCP and UDT. I didn't know it was that simple. Now I know why the setting on my surveillance system is the way it is
I've been a programmer of web apps for the last 15 years, and I like to consider myself more security-aware than the common developer, but this was actually new information for me. Thank you for sharing the knowledge.
The person who inserted "MONLIST" command in the protocol, is THE Culprit/Hacker! While misguiding you as "This is one useless command", he got way of hacking forever! Otherwise "last 600 users? Really? 600?", come on, you don't need Sherlock Holmes!
Really good video. I love Tom, he's so enthusiastic! :) Also, he talks about topics that I find very interesting (not that I'd actually follow any of his "tips", I just find it interesting). :)
ive watched so much computer file, tom scott, matt and tom, and ashens, that youtube seems to genuinely think im british, and is now showing me ads for companies that dont exist in america
so many different attack vectors exist in the tcp/ip stack. we are sitting here talking about host to host but the real fun begins when you start attacking the routers and routing protocols.. not that I'm in to that but the potential is huge.
I love this video because the only way I know of to truly raise security in this very attacker centric world is to raise the base knowledge of the average user.
Where the pressure really need to get put is on Internet Service Providers to do egress filtering on the outer edges of their networks, and ingress filtering on anyone they sell or rent a block of addresses to. That would actually reduce spoofing instead of just chasing it from protocol to protocol.
I have to say I lean more to the chemistry side of the Brady universe, but I have to say I am completely riveted to watching this guy, he is so enthusiastic about his subject and so interesting to listen too, more please!
I actually remember that back during my school days there was this script you could run called a flooder that did pretty much this, and if you picked the right port to send traffic to on those old windows computers they not only lost all internet connections but also instantly crashed to bluescreen. I remember having a lot of fun with THAT on my school's intranet... =p
The problem with UDP is the fact that there is no absolutely no protection against source IP spoofing; Any ISP that the UDP packets are traveling through cannot verify the legitimacy of those packets. Therefore, any public UDP service which can send more data than it receives is vulnerable to (D)DoS amplification, and in fact it is extremely trivial to accomplish this. With my knowledge and $1000 worth of VPS (like Amazon Web Services), I could bring down a big site for a couple of hours and make headlines. I would never risk it though because that would trace straight back to me. The people who do these attacks in the real world use BitCoins and Tor or VPNs only so that they're much harder to find. I don't have any BitCoins, no use for VPNs, and I personally find it immoral and even childish to perform DoS attacks. I find the technicalities slightly interesting but, compared to real vulnerabilities, to me it's just child's play.
When you started talking about TCP vs UDP, I was thinking of a new name for the reflected DoS via SYN flood. That NTP thing is pure evil! Sounds like a command that was put in to an early ntpd for remote testing/diagnostic/logging and ended up staying in
So basically, it's the bad guys which are creating the need to defend against attacks of any kind that help improve security on the long run. I find this an interesting thought...
Truly, I think the only way to defend against DoS attacks is to improve the protocol itself. For instance UDP could handshake every once in a while, with the receiver sending a single "flag" saying that you can continue with the streaming. This will not only stop DoS, but could also save server bandwidth since the server will know that it doesn't need to keep sending packets to a recipient that doesn't want to listen (this would greatly improve the stream quality of sites like Justin, Twitch, Hulu, and Netflix). And the recipient can effortlessly let only one UDP transfer through, or none at all. another protocol idea is that when a server receives a request for a large amount of data (TCP), or just always (UDP), it 1st sends a "handshake" confirmation to the destination to make sure they really want it. This solves 2 things as one the server can ignore duplicated requests from the same "source", and again save even more bandwidth if the source turned down the handshake. There may even be a "timeout" flag included so that even the confirmation handshakes themselves aren't spammed. The only way a criminal could bypass this is if they hack the actual servers themselves.
He is an excellent orator and teacher!There is a lot I don't understand until explained the right way... I'm sure a lot of people feel that way. Thank You!
Sorry if this won't make sense, but can't that monlist type of communication/request be blocked by firewall? Doesn't it have some specific attribute that could be set to firewall rules and firewall just wouldn't let it through?
It's not just old tech. There's a flaw in IPv6 that also amplifies. This particular NTP attack should just be blocked at the network level. Large NTP servers should not implement monlist and ISPs should not forward it. That only stops this particular attack though.
***** I would say that in terms of pushing out a fix to ntp servers, it's one of the easier fixes. Most of them will be running the same ntpd and would only need to update it once the fix is committed, and this should be done for the entire ntp.org pool at the very least. As for arriving at the borders, if it is blocked by ISPs and backbones it should only affect the connection that the ntp server is on i.e. it shouldn't be blocked at the destination but as close to the source as possible. This could still flood the ntp server's connection, but the ntp server can update its ntpd to fix this.
ghelyar well yes, of course you should block as close to the source as possible. But in case of a DDOS you can only go so far in communicating with upstream providers. Generally you can talk to your transits and peers (although many won't help you with these things), but you can't really go any further up the line. Recently I had to communicate with Level3 (a transit provider for where I work) to get a routing issue fixed. It took us 12 hours to finally get them to fix it. Imagine that it takes that long to let them help you in fending off a DDOS. Btw, servers in the ntp.org pool are already upgraded. It's very easy to fix (on the most common types (variations of the ntp.org version) you can disable it with a simple config change). But in any case it's always the little and "forgotten" NTP servers that cause problems. Most are hooked up with 100mbit or 1gbit to the internet, so find a couple and you can create enough problems.
Aww, I expected you to mention amplification attacks in the IRC protocol itself and was disappointed. (CTCP VERSION or INFO for instance) These were all the rage when I just got on to IRCNet.
A research group at the Technical University of Denmark managed to reach 5.4 terabytes per second using optic fiber. Can you imagine if someone were to gain control of a few connections like those?
Wow! I don't really know what it is, but it's been a while since I watched this channel because of college stuff, and I feel like something changed on the transictions or the camera motion, that really make me get more concentrated on the video. I just loved his explanation, thanks so much for this video.
MONLIST is used to know who have already synced their time, so that you don't send them a sync command again. it's not useless dude. it's very a useful command. It's funny how it's being exploited though.
***** I´m a computer noob, so keep this in mind while reading my question: Why not make a plugin that automatically discards traffic that comes from monlist requests? These answers to requests will all have a certain size, they all have an easily recognizable pattern - can´t you just filter them out at the earliest point possible and be done with it?
You can protect yourself. Add the following lines to your NTP configuration file (ntp.conf): # for IPv4 restrict default limited kod nomodify notrap nopeer noquery # for IPv6 restrict -6 default limited kod nomodify notrap nopeer noquery
For us lowly commoners that might not be a problem however, say you are Amazon, or Google, or eBay or any other widely recognized webpage. simply "unplugging your Ethernet cable!" is not an option and changing your ip might lead to people not being able to immediately find you either,
The worst part is that there's a simple fix, a simple edit to do in a text file of the NTP server. And the admins just do nothing about it. #FixYourStuff
Part of the troubles with "Agreeing not to use x server" is the question of who decides such things? Erasure of things for political or social reasons is an eternal concern. There are always those that want to control others, even if it's just to not talk about the color blue or something silly like that.
I once tried a denial of service attack on my friend. I knew he has a 32 bit computer, so I tried to send him a Facebook message 2^32 characters long thinking that it would crash his computer (and possibly lead to a blue screen of death). My computer crashed before I could send the message.
Somebody should make a video. 3 guys are sitting in a room.
Guy 1 puts on a mask that looks like guy 3
Guy 1 whispers "Monlist" to guy 2
Guy 2 throws a huge stack of paper at guy 3
I was gonna tell you guys a joke about UDP, but you might not get it.
A funny story from fall semester during the 2020 pandemic: because my university's classes were all online, one of my professors set up a website on a server he physically owned in his basement that he would upload assignments on. Turns out that was a bad idea because after every class when he would give us this week's assignment, he would get kicked offline from every student downloading from his server at the same time.
And I though I was scary pulling a flash drive out without safely ejecting it.........
Tom Scott is to computerphile what James Grime is to numberphile
This reminds me of a project we had to do for University.
We had to build a database driven web application. However, in order to fill our database, we were required to get our data from websites. In the end, it turned out that at least 5 groups were mass scraping the same website during a few weekends. Even though we never meant it to be a DOS attack, the poor server was in trouble.
"What time is it?"
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
Server: *You want to know the time?*
"Monlist!". The force of his disgust towards this command cracked me up no end! You just got yourself a new subscriber. Well done!
Tom Scott is by far my favorite person they interview on Computerphile
Yeah. It's especially funny how worked up and passionate he gets about some things.
"How can you protect your servers? The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packetts (which includes monlist).
By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack."
haha i love this guy. he is always so energetic.
Koseiku he has his own youtube channel - Tom Scott
He's brilliant :D
Tom Lloyd Ha. I thought he looked familiar.
Why don't we just remove Monlist?
That "monlist" command sounds like something that exists for debugging, and should require special permission to use. Even without the DoS attack part, it seems like a massive privacy/security violation to just let anyone anywhere ask for a list of everyone who has accessed something. My guess is that if it wasn't just an accident that it was left in, they left it in because removing it would break something. "We can't fix it because something else needs it to stay exactly the same" is a thing in programming.
i love how into it tom gets with the drawings
I like to imagine someone setting this up but forgetting to spoof the return and destroying themselves
I love how angry Tom gets over this subject. The _passion!_
I love this guy. He always sounds so excited when he's talking.
His passion is addicting.
n6i9k4a He has the rare talent that he's passionate about a subject but also has the ability to communicate that passion to the layman.
All of Computerphile's videos are cool and all, but....
Tom is just amazing!
More of tom please, his enthusiasm keeps you glued to the screen.
"I approve this stream being sent to me"
The fax paper to computerphile is like the brown paper to numberphile. Same for Tom Scott and James Grime
I think that just happended...
7:06 what do the other people in the building you're in think when they see you randomly scribbling and shouting 206 times? 😂
This guy makes me feel bad for a computer...
Tom Scott is back on Computerphile! YAY! :)
More videos with this guy please. He explains everything so well
Very very good explanation!
I work for a company with a reasonable sized network (couple of gbits) and own datacenter. For a while now we get multiple abuse reports a day for exactly this type of attack. Sending in these abuse reports is actually useful, as we will block customers after receiving too many reports and not seeing any action on their part.
It sounds like you work for a server/VPS provider. If that's the case, you should look into some automated network monitoring software. Depending on your infrastructure there's most likely free ways of doing so, and if you're company's a decent size, it could afford the cost of some of the better solutions. In the long run, you'd save money from having to manually deal with those situations. And who knows... Maybe management would be appreciative of your recommendation. Might get a nice bonus/raise? :)
Chris Miller thanks for the suggestion. I might just look into that.
An an employee of a local ISP, we've been seeing these NTP attacks on a high-bandwidth customer of ours for some time now. We definitely notice. I believe we've simply blocked NTP from outside sources and are only allowing a select few popular ones, but that's slightly above me.
Two things I'd like to point out:
1. You can spoof the IPv4/IPv6 address for any IP-based protocol (TCP, ICMP, IGMP, etc.), not just UDP.
2. It's the ISP's job to drop packets that have a spoofed source address as they know exactly where the packet came from (based on MAC address), and even the big routing services have some level of detecting whether or not a source address is spoofed.
I swear this guy
I could just listen to him all day
amplified distributed DoS? Yep, I get it. When you try to kick the internet's butt, be sure to wear ADIDoS!
Meanwhile in captions: [SCRIBBLES FURIOUSLY]
knowledge is priceless
Actually you can do a couple of things:
1) Replication
2) Distributed Caching
3) Content Delivery Networks (a.g. Akamai)
Theese are all expensive things, but if you are under a DDoS attack, you probably have enough money to pay for these services :)
@DerpTrolling on twitter currently holds the world record for the biggest DoS attack ever, it maxed out at over 420Gb/s and was against a company who wanted to test their infrastructure...They also delayed the customization packs for CoD by knocking the DNS servers that send the files, as wekk as every single LoL server, which is why they have had so much down time recently...
Thanks for explaining the difference between TCP and UDT. I didn't know it was that simple. Now I know why the setting on my surveillance system is the way it is
I just found a new favorite channel. This guy loves what he does.
I've been a programmer of web apps for the last 15 years, and I like to consider myself more security-aware than the common developer, but this was actually new information for me. Thank you for sharing the knowledge.
The person who inserted "MONLIST" command in the protocol, is THE Culprit/Hacker! While misguiding you as "This is one useless command", he got way of hacking forever! Otherwise "last 600 users? Really? 600?", come on, you don't need Sherlock Holmes!
My IP is 192.168.1.1. a lot of people say they have the same IP but i thought IP's were only for one router/household. help?
Really good video. I love Tom, he's so enthusiastic! :) Also, he talks about topics that I find very interesting (not that I'd actually follow any of his "tips", I just find it interesting). :)
ive watched so much computer file, tom scott, matt and tom, and ashens, that youtube seems to genuinely think im british, and is now showing me ads for companies that dont exist in america
so many different attack vectors exist in the tcp/ip stack. we are sitting here talking about host to host but the real fun begins when you start attacking the routers and routing protocols.. not that I'm in to that but the potential is huge.
I love this video because the only way I know of to truly raise security in this very attacker centric world is to raise the base knowledge of the average user.
Where the pressure really need to get put is on Internet Service Providers to do egress filtering on the outer edges of their networks, and ingress filtering on anyone they sell or rent a block of addresses to. That would actually reduce spoofing instead of just chasing it from protocol to protocol.
This man, should have his own T.V show!
Charb thabowz He does, it's called Gadget Geeks.
And that is something you might not have known!
Great Video! Thank you very much!
love when this guy explains!
I have to say I lean more to the chemistry side of the Brady universe, but I have to say I am completely riveted to watching this guy, he is so enthusiastic about his subject and so interesting to listen too, more please!
I actually remember that back during my school days there was this script you could run called a flooder that did pretty much this, and if you picked the right port to send traffic to on those old windows computers they not only lost all internet connections but also instantly crashed to bluescreen. I remember having a lot of fun with THAT on my school's intranet... =p
ok wtf is there to dislike about this video??
The problem with UDP is the fact that there is no absolutely no protection against source IP spoofing; Any ISP that the UDP packets are traveling through cannot verify the legitimacy of those packets. Therefore, any public UDP service which can send more data than it receives is vulnerable to (D)DoS amplification, and in fact it is extremely trivial to accomplish this. With my knowledge and $1000 worth of VPS (like Amazon Web Services), I could bring down a big site for a couple of hours and make headlines. I would never risk it though because that would trace straight back to me. The people who do these attacks in the real world use BitCoins and Tor or VPNs only so that they're much harder to find. I don't have any BitCoins, no use for VPNs, and I personally find it immoral and even childish to perform DoS attacks. I find the technicalities slightly interesting but, compared to real vulnerabilities, to me it's just child's play.
When you started talking about TCP vs UDP, I was thinking of a new name for the reflected DoS via SYN flood.
That NTP thing is pure evil! Sounds like a command that was put in to an early ntpd for remote testing/diagnostic/logging and ended up staying in
So basically, it's the bad guys which are creating the need to defend against attacks of any kind that help improve security on the long run. I find this an interesting thought...
My internet died when you talked about you're Internet getting denied :/
This guy is both really fun and really informative. So... more Tome Scott?
Truly, I think the only way to defend against DoS attacks is to improve the protocol itself.
For instance UDP could handshake every once in a while, with the receiver sending a single "flag" saying that you can continue with the streaming. This will not only stop DoS, but could also save server bandwidth since the server will know that it doesn't need to keep sending packets to a recipient that doesn't want to listen (this would greatly improve the stream quality of sites like Justin, Twitch, Hulu, and Netflix). And the recipient can effortlessly let only one UDP transfer through, or none at all.
another protocol idea is that when a server receives a request for a large amount of data (TCP), or just always (UDP), it 1st sends a "handshake" confirmation to the destination to make sure they really want it. This solves 2 things as one the server can ignore duplicated requests from the same "source", and again save even more bandwidth if the source turned down the handshake. There may even be a "timeout" flag included so that even the confirmation handshakes themselves aren't spammed. The only way a criminal could bypass this is if they hack the actual servers themselves.
Please do a video explaining the heartbleed bug.
Ah. Well, we're seeing attacks of ~600/700mbps right now. Possibly closer to 1TB/s attacks on the DNS servers. Pretty scary and interesting stuff!
I really want to know where Tom can still find Dot Matrix Printing Paper.
He is an excellent orator and teacher!There is a lot I don't understand until explained the right way... I'm sure a lot of people feel that way. Thank You!
This guy really has a natural talent for teaching. I had never been interested in computer science until I started watching his videos.
I would love to see a feature-length Documentary (60-120mins) made by the computerphile guys! I imagine that it would be amazing.
How did Tom get "206" times the data....Also "206 x ?" What is the basic thing whose 206 times is being sent?
All the experts are so well spoken.
Thanks Tom! Another great video with a really interesting and also terrifying topic.
Took 'em two years to get to terabit level attacks.
Thanks a lot for this, Haley Joel Osment! Seriously, this is highly informative and worth sharing.
This is really interesting because I've noticed that some sites have been acting strangely last few days
Sorry if this won't make sense, but can't that monlist type of communication/request be blocked by firewall? Doesn't it have some specific attribute that could be set to firewall rules and firewall just wouldn't let it through?
Turned Closed Captions on. Saw [furiously scribbling] at 7:03. Nice
Flash forward three years and we've seen 620Gbps attacks with zero amplification...
It's not just old tech. There's a flaw in IPv6 that also amplifies.
This particular NTP attack should just be blocked at the network level. Large NTP servers should not implement monlist and ISPs should not forward it. That only stops this particular attack though.
***** I would say that in terms of pushing out a fix to ntp servers, it's one of the easier fixes. Most of them will be running the same ntpd and would only need to update it once the fix is committed, and this should be done for the entire ntp.org pool at the very least.
As for arriving at the borders, if it is blocked by ISPs and backbones it should only affect the connection that the ntp server is on i.e. it shouldn't be blocked at the destination but as close to the source as possible. This could still flood the ntp server's connection, but the ntp server can update its ntpd to fix this.
ghelyar well yes, of course you should block as close to the source as possible. But in case of a DDOS you can only go so far in communicating with upstream providers. Generally you can talk to your transits and peers (although many won't help you with these things), but you can't really go any further up the line.
Recently I had to communicate with Level3 (a transit provider for where I work) to get a routing issue fixed. It took us 12 hours to finally get them to fix it. Imagine that it takes that long to let them help you in fending off a DDOS.
Btw, servers in the ntp.org pool are already upgraded. It's very easy to fix (on the most common types (variations of the ntp.org version) you can disable it with a simple config change). But in any case it's always the little and "forgotten" NTP servers that cause problems. Most are hooked up with 100mbit or 1gbit to the internet, so find a couple and you can create enough problems.
In the 8 years since this video's release, has this issue been resolved at all? Even partially?
computerphile needs to have tom Scott on more, his videos are great!
Aww, I expected you to mention amplification attacks in the IRC protocol itself and was disappointed. (CTCP VERSION or INFO for instance) These were all the rage when I just got on to IRCNet.
This is a great video, He explains the concepts very well.
*SHOUTS* AND THEY'LL ALL SEND 206 TIMES THE DATA..!!
LOL. Loved the video man. :)
A research group at the Technical University of Denmark managed to reach 5.4 terabytes per second using optic fiber. Can you imagine if someone were to gain control of a few connections like those?
Note that the title says "disrupt" not "take down"
It's scary to think that something so intangible and seemingly untouchable as the internet...could soon actually be very vulnerable.
Wow! I don't really know what it is, but it's been a while since I watched this channel because of college stuff, and I feel like something changed on the transictions or the camera motion, that really make me get more concentrated on the video. I just loved his explanation, thanks so much for this video.
So, if the whole entire world went on the same webpage, would that webpage crash cause they're to many people on the same site?
Nice video but fyi TCP doesn't require packets to be sent in order. It just makes sure that all packets are received at some point in time.
How did I not know about this beautiful channel?!?!
Ah. The good old days when you could take people down with a simple ping. =)
MONLIST is used to know who have already synced their time, so that you don't send them a sync command again.
it's not useless dude. it's very a useful command.
It's funny how it's being exploited though.
*****
I´m a computer noob, so keep this in mind while reading my question:
Why not make a plugin that automatically discards traffic that comes from monlist requests?
These answers to requests will all have a certain size, they all have an easily recognizable pattern - can´t you just filter them out at the earliest point possible and be done with it?
I used to be in love with Matthew Parker in the Maths department, but I think Tom Scott is now my new future husband . . .
The concept reminds me of the White Rose character in Mr Robot, with the whole "I hack time" motif.
You can protect yourself.
Add the following lines to your NTP configuration file (ntp.conf):
# for IPv4
restrict default limited kod nomodify notrap nopeer noquery
# for IPv6
restrict -6 default limited kod nomodify notrap nopeer noquery
I love this guy..... so simply explained, well done...
Question: Couldn't you just unplug your ethernet cable / router until it stops? Maybe quickly change your ip? What works be the problem with that?
For us lowly commoners that might not be a problem however, say you are Amazon, or Google, or eBay or any other widely recognized webpage. simply "unplugging your Ethernet cable!" is not an option and changing your ip might lead to people not being able to immediately find you either,
Where did you get 206x the amount of data from? Surely it would be about 600x the amount of data, since one command sends a list of 600?
ComputersAreRealCool because he's counting in bytes/bits, and that list of 600 contains a lot more than just one byte/bit per entry.
The worst part is that there's a simple fix, a simple edit to do in a text file of the NTP server. And the admins just do nothing about it. #FixYourStuff
Great info, and bonus points for the retro computer paper.
You can defend against it if your home connection is being targeted by just using a vpn beforehand.
You should always be using a vpn actually.
Save us Tom Scot! Use your internet knowledge and fend off DDoS attacks!
Woah...poor paper...
Part of the troubles with "Agreeing not to use x server" is the question of who decides such things? Erasure of things for political or social reasons is an eternal concern. There are always those that want to control others, even if it's just to not talk about the color blue or something silly like that.