[AusNOG] NTP reflection used for world's largest DDoS

Jeremy Begg jeremy at vsm.com.au
Wed Feb 12 16:03:31 EST 2014 

>My ESX servers seemed to have NTP open by default too.

I think you'll find an awful lot of servers have NTP on by default, or the
system adminisrator has turned it on without understanding the need for any
security around it.  (I'm guilty of that.)

In my case the fix was very simple: a kernel-level packet filter which
blocks all NTP traffic except for specified hosts and networks.  The
requests still come on to the network but they don't result in any
responses.

Regards,

        Jeremy Begg

  +---------------------------------------------------------+
  |            VSM Software Services Pty. Ltd.              |
  |                 http://www.vsm.com.au/                  |
  |---------------------------------------------------------|
  | P.O.Box 402, Walkerville, |  E-Mail:  jeremy at vsm.com.au |
  | South Australia 5081      |   Phone:  +61 8 8221 5188   |
  |---------------------------|  Mobile:  0414 422 947      |
  |  A.C.N. 068 409 156       |     FAX:  +61 8 8221 7199   |
  +---------------------------------------------------------+


>On 12/02/14 15:15, Nathan Brookfield wrote:
>>
>> We've had some customers boxes through UECOMM IP transit compromised
>> this morning, only small links but they're certainly going hard.  A
>> few clients run Zimbra which is VMWare's mail server and it appears to
>> have NTP open by default.
>>
>> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
>> *Joshua D'Alton
>> *Sent:* Wednesday, 12 February 2014 3:03 PM
>> *Cc:* ausnog at lists.ausnog.net
>> *Subject:* Re: [AusNOG] NTP reflection used for world's largest DDoS
>>
>> And looks like another one is running, level3 seems totally decimated
>> at the moment, 100ms+ on usual routes.
>>
>> On Tue, Feb 11, 2014 at 2:51 PM, Daniel Watson <daniel at glovine.com.au
>> <mailto:daniel at glovine.com.au>> wrote:
>>
>> http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-europe.aspx
>>
>> What is the world coming too.
>>
>> D.
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list