We recently fell victim to an NTP DDoS attack as a result of failing to patch our old FreeBSD 6.0 time server.
When the attack occurred it maxed out both our incoming and outgoing bandwidth. We soon identified the NTP server as the problem and disconnected it, as well as blocking all traffic to it in the firewall. This solved the outgoing problem, as the NTP server was no longer sending replies to the NTP requests - but our incoming bandwidth continues to be hammered.
Graphs show that all the attack packets (UDP 123 destined for the NTP server) stop at the firewall as you would expect.
Do we now just need to wait for the attacker to instruct his botnet to look elswhere - or is there something else we can do to mitigate this?
Thanks in advance for any advice!