[AusNOG] NTP reflection used for world's largest DDoS

Jeremy Begg jeremy at vsm.com.au
Wed Feb 12 19:17:22 EST 2014 

>Possible reason for the attack?
>https://thedaywefightback.org/international/

I doubt it.  That refers specifically to 11th Feb but my systems were
suffering before then.  Besides, the attack is described in a CERT alert
from last month:

https://www.us-cert.gov/ncas/alerts/TA14-013A

The vendor who brought that to my attention this week said their systems had
been under attack since December.

	Jeremy

>-----Original Message-----
>From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Jeremy Begg
>Sent: Wednesday, 12 February 2014 4:04 PM
>To: ausnog at lists.ausnog.net
>Subject: Re: [AusNOG] NTP reflection used for world's largest DDoS

>>My ESX servers seemed to have NTP open by default too.

>I think you'll find an awful lot of servers have NTP on by default, or the system adminisrator has turned it on without understanding the need for any security around it.  (I'm guilty of that.)

>In my case the fix was very simple: a kernel-level packet filter which blocks all NTP traffic except for specified hosts and networks.  The requests still come on to the network but they don't result in any responses.

>Regards,

>        Jeremy Begg

>  +---------------------------------------------------------+
>  |            VSM Software Services Pty. Ltd.              |
>  |                 http://www.vsm.com.au/                  |
>  |---------------------------------------------------------|
>  | P.O.Box 402, Walkerville, |  E-Mail:  jeremy at vsm.com.au |
>  | South Australia 5081      |   Phone:  +61 8 8221 5188   |
>  |---------------------------|  Mobile:  0414 422 947      |
>  |  A.C.N. 068 409 156       |     FAX:  +61 8 8221 7199   |
>  +---------------------------------------------------------+


>>On 12/02/14 15:15, Nathan Brookfield wrote:
>>>
>>> We've had some customers boxes through UECOMM IP transit compromised
>>> this morning, only small links but they're certainly going hard.  A
>>> few clients run Zimbra which is VMWare's mail server and it appears
>>> to have NTP open by default.
>>>
>>> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
>>> *Joshua D'Alton
>>> *Sent:* Wednesday, 12 February 2014 3:03 PM
>>> *Cc:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] NTP reflection used for world's largest DDoS
>>>
>>> And looks like another one is running, level3 seems totally decimated
>>> at the moment, 100ms+ on usual routes.
>>>
>>> On Tue, Feb 11, 2014 at 2:51 PM, Daniel Watson <daniel at glovine.com.au
>>> <mailto:daniel at glovine.com.au>> wrote:
>>>
>>> http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-e
>>> urope.aspx
>>>
>>> What is the world coming too.
>>>
>>> D.
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog

>_______________________________________________
>AusNOG mailing list
>AusNOG at lists.ausnog.net
>http://lists.ausnog.net/mailman/listinfo/ausnog
>__________________________________________________________________________________________
>Note:
>This message is for the named person's use only.  It may contain confidential,
>proprietary or legally privileged information.  No confidentiality or privilege
>is waived or lost by any mistransmission.  If you receive this message in error,
>please immediately delete it and all copies of it from your system, destroy any
>hard copies of it and notify the sender.  You must not, directly or indirectly,
>use, disclose, distribute, print, or copy any part of this message if you are not
>the intended recipient. Worforce International Pty Ltd and any of its subsidiaries each reserve
>the right to monitor all e-mail communications through its networks.

>Any views expressed in this message are those of the individual sender, except where
>the message states otherwise and the sender is authorized to state them to be the
>views of any such entity.
>__________________________________________________________________________________________

More information about the AusNOG mailing list