[AusNOG] NTP reflection used for world's largest DDoS

David Jericho davidj at diskpig.org
Wed Feb 12 15:36:59 EST 2014 

Many ESX boxes do, as do many server IPMI devices, other OOB devices and
telephony/vc devices. Out of the box even many Linux distros do.

It seems to be a default in many devices that turning on an NTP client also
turns on a NTP server. In other words, if you're using NTP time sync on
your network, a check should be performed just to be sure. "I'm only a
client" doesn't mean you're safe.

Pretty simple to scan your own netblocks for it,
http://vk5tu.livejournal.com/44795.html has a good write up (hat tip to
Glen Turner).




On Wed, Feb 12, 2014 at 2:25 PM, Joseph Goldman <joe at apcs.com.au> wrote:

>  My ESX servers seemed to have NTP open by default too.
>
>
> On 12/02/14 15:15, Nathan Brookfield wrote:
>
>  We’ve had some customers boxes through UECOMM IP transit compromised
> this morning, only small links but they’re certainly going hard.  A few
> clients run Zimbra which is VMWare’s mail server and it appears to have NTP
> open by default.
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net<ausnog-bounces at lists.ausnog.net>]
> *On Behalf Of *Joshua D'Alton
> *Sent:* Wednesday, 12 February 2014 3:03 PM
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] NTP reflection used for world's largest DDoS
>
>
>
> And looks like another one is running, level3 seems totally decimated at
> the moment, 100ms+ on usual routes.
>
>
>
> On Tue, Feb 11, 2014 at 2:51 PM, Daniel Watson <daniel at glovine.com.au>
> wrote:
>
>
> http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-europe.aspx
>
>
>
> What is the world coming too.
>
>
>
> D.
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140212/809d5dc0/attachment.html>

More information about the AusNOG mailing list