So I run a high traffic NTP stratum 2 node. My bandwidth is a Gigabit and that’s what I have set as my speed on my server. Recently the IP fragmentation (Tear drop attacks?) have been THROUGH THE ROOF! I assume this is from the reflection exploits and people attempting to abuse the NTP pool for DDoS attacks.
I actually run snort in IPS mode in front of my NTP server and it’s patched up to the latest and whatnot, but that still doesn’t stop the swamp of fragmented packets flooding my network.
What are some of you doing to protect this? Is there any protection at the network level? Are you bumping your fragmentation tables up on your firewalls and just seeing how much your server can drink from the fire hose? Are there any snort rules that someone has come across that can cut down on this? Are you simply bumping your NTP speeds down to deal with it? I hate to give in to providing an essential public service, since I have the resources available, but it seems like the fragmentation/reflection attacks are hitting the NTP pool pretty hard recently.