[AusNOG] Stopping unwanted random NTP traffic

Trent Farrell tfarrell at riotgames.com
Wed Apr 16 11:06:57 EST 2014


We have been the target of some of the largest NTP reflection attacks ever
seen, and all I can really stress is build great relationships with your
upstreams - they'll more than likely respond quicker and give you the
results you want.

In Australia, Vocus and Telstra definitely stepped up and were very helpful.

As Skeeve mentioned below, NTP is just the current FoTM, there's still
plenty of vectors available like SNMPv2, SSDP etc.

On Wednesday, April 16, 2014, Andrew Tschudi <andrewtschudi at gmail.com>
wrote:

> Thanks Lindsay we only have one fiber provider in our building, with no
> other options.
>
> I am considering IP transit from another provider and using our fiber
> provider as back haul but we are still in contract and not sure if i can
> change this.
>
> Andrew
>
>
> On Wed, Apr 16, 2014 at 10:32 AM, Lindsay Hill <lindsay.k.hill at gmail.com<javascript:_e(%7B%7D,'cvml','lindsay.k.hill at gmail.com');>
> > wrote:
>
>> You probably need to think about changing your upstream provider, if they
>> can't help deal with this - either by them mitigating traffic, or by giving
>> your RTBH capabilities.
>>
>>
>> On Wed, Apr 16, 2014 at 12:24 PM, Andrew Tschudi <andrewtschudi at gmail.com<javascript:_e(%7B%7D,'cvml','andrewtschudi at gmail.com');>
>> > wrote:
>>
>>> The problem is our upstream provider could not help us stop the traffic
>>> and we ran out of network capacity. Engineering said they can look at
>>> blocking the traffic as part of a special project which might take 6 weeks.
>>>
>>> Andrew
>>>
>>>
>>>
>>> On Wed, Apr 16, 2014 at 10:15 AM, Dobbins, Roland <rdobbins at arbor.net<javascript:_e(%7B%7D,'cvml','rdobbins at arbor.net');>
>>> > wrote:
>>>
>>>>
>>>> On Apr 16, 2014, at 7:13 AM, Andrew Tschudi <andrewtschudi at gmail.com<javascript:_e(%7B%7D,'cvml','andrewtschudi at gmail.com');>>
>>>> wrote:
>>>>
>>>> > We were the target of the attacks and have no open NTP servers on our
>>>> network.
>>>>
>>>> Gotcha.
>>>>
>>>> In that case, you can use QoS to police down non-76-byte UDP/123
>>>> traffic to 1mb/sec in aggregate or thereabouts, and ask your upstream
>>>> transit(s) to do the same on their side of the link(s).
>>>>
>>>> -----------------------------------------------------------------------
>>>> Roland Dobbins <rdobbins at arbor.net<javascript:_e(%7B%7D,'cvml','rdobbins at arbor.net');>>
>>>> // <http://www.arbornetworks.com>
>>>>
>>>>           Luck is the residue of opportunity and design.
>>>>
>>>>                        -- John Milton
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net<javascript:_e(%7B%7D,'cvml','AusNOG at lists.ausnog.net');>
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net<javascript:_e(%7B%7D,'cvml','AusNOG at lists.ausnog.net');>
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>

-- 

*Trent Farrell*

*Riot Games*

*IP Network Engineer*

E: tfarrell at riotgames.com | IE:  +353 83 446 6809 | US: +1 424 285 9825

Summoner name: Foro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140416/7fd36d57/attachment.html>


More information about the AusNOG mailing list