NTP DDOS

Hello mtsinc1 and welcome,

Hmmmm, sounds to me that someone is looking for a network time protocol synchronization or just trying to fake a scam hacker access. If you also have the IP address of this intruder, because you seem to know what port 123 they are coming in on, then you can use the Comcast Gateway (CG) Firewall blocking IP address that will prohibit any incoming data from that IP address. Another thing you can do, if you are not using Port 123 on either on those devices, is use your Norton anti-virus or Windows FW control to disable this port. Lastly, if you have any MAC address information, you can certainly do a MAC Address filtering especially if you have a DPC3939B CG.

Hope this helps you out.  

I don't think Windows security measures are going to work too well on a Linux server farm.

Unfortunately, blocking IP addresses doesn't help, because A) the IPs are changing fairly frequently, and B) the sheer volume of bad traffic coming in is killing me.

The targeted servers are unplugged, so the attackers are tossing blind packets at my LAN, but the volume of packets coming in is so high, that even with them being dropped for lack of recipient, it's impacting LAN performance, including both wired and WiFi segments.

The firewall for the Cisco router is apparently too primitive to allow me to specifically block port 123 (and in any event, I'd really like legitimate NTP traffic to come in to the machine that isn't being targeted. Although even if the router could firewall it, it's still likely to be polluting the router itself, even if a router-based firewall would spare my backend subnets.

Yeah. The problem is that there are multiple machines hanging off the router (it has 4 Ethernet jacks) and ideally the machine that isn't being targeted should be allowed NTP services, since accurate time is important to the entire server farm and NTP being what it is, I could then make that machine be a substraturm server for the other machines without exposing them to direct attack.

Unfortunately, that's not an option on this router model. It's all or none.

What's truly offensive isn't just that it's punishing me. All those junk packets have to run through (and thus steal bandwidth) from Comcast's pipes before they reach me, so in the end everyone suffers. Pity someone cannot visit the actual (as opposed to spoofed) UDP packet originators and (ahem) "have words" with them.

Likely it's a botnet and they don't even realize they're infected.

You know, there is an e-mail address abuse@comcast.net that if I had to guess would be a good POC for this kind of issue... I have used that address for other issues in the past, and the response has been good.