VMware Cloud Community
Vmware_Moron
Contributor
Contributor
‎03-03-2014 07:12 AM
Jump to solution

My Esxi4 is reported as participating in NTP Distributed Denial of Service (DDoS) attack

Hello,

I received a report that my Esxi 4.1 host is participating in a NTP Distributed Denial of Service attack. 

I posses limited Vmware skill set and this is what I have done so far:

  1. Stopped the NTP Daemon service - see attached screen shot.
  2. Ran "#esxcfg-firewall --closePort 123,UPD,in"


However, I am still getting reports that my host is participating in the NTP attack.  Did I miss anything else?

Thanks in advance for any help

Preview file
26 KB
Reply
0 Kudos
1 Solution

Accepted Solutions
schepp
Leadership
Leadership
‎03-03-2014 07:23 AM
Jump to solution

Hi,

there's a KB article on how to fix your ESXi by adding some lines in the ntp.conf:

VMware KB: Mitigation and Remediation for NTP DDoS attack in ESX/ESXi and vCenter Server Appliance (...

Tim

View solution in original post

Reply
0 Kudos
4 Replies
schepp
Leadership
Leadership
‎03-03-2014 07:23 AM
Jump to solution

Hi,

there's a KB article on how to fix your ESXi by adding some lines in the ntp.conf:

VMware KB: Mitigation and Remediation for NTP DDoS attack in ESX/ESXi and vCenter Server Appliance (...

Tim

Reply
0 Kudos
Vmware_Moron
Contributor
Contributor
‎03-03-2014 07:42 AM
Jump to solution

Thank you Tim.

Do I need to restart any services after I update the ntp.conf file?

Reply
0 Kudos
schepp
Leadership
Leadership
‎03-03-2014 07:50 AM
Jump to solution

I would restart the NTP Daemon to make sure.

Also you should think about moving the ESXi hosts into private subnets, that are not routed to the internet, as most times, they don't need direct internet access.

Regards

Tim

Reply
0 Kudos
Vmware_Moron
Contributor
Contributor
‎03-03-2014 12:33 PM
Jump to solution

Thanks again, Tim!

I appreciate the advice as well.

Reply
0 Kudos