[AusNOG] NTP Reflection coming in over Equinix IX

Alexander Neilson alexander at neilson.net.nz
Thu Feb 13 18:23:15 EST 2014

With these latest attacks I was pleased that I had ensured all the abuse contacts on our network were up to date. Someone (a school) one of our customers had an open NTP server running on it.

They were used in the latest wave of attacks and we were notified about this (the only open NTP server across all the networks we manage) and we directly contacted the customer IT team to repair it and until then we are putting a block in place just cutting it clean off from NTP (with the customers assent) at the border.


Alexander Neilson
Neilson Productions Limited

alexander at neilson.net.nz
021 329 681
022 456 2326

On 13/02/2014, at 7:01 pm, Dobbins, Roland <rdobbins at arbor.net> wrote:

> On Feb 13, 2014, at 12:56 PM, Luke Iggleden <luke+ausnog at sisgroup.com.au> wrote:
>> Withdraw all prefixes from the IX that aren't being dossed.
>> or/
>> Announce a more specific via a DDOS scrubber
>> or/
>> Announce via a transit provider that supports RTBH.
> Concur 100%.
> Also, if folks aren't members of the main trusted/vetted global opsec communities, you should look at joining, so as to both receive and render assistance as needed.

More on topic for this email I am worried that the logging and telemetry information I inherited from my predecessor on the network has some holes / isn’t collected logically together so I have been hesitant in trying to join any of these groups and contributing.

Does anyone have any suggestions (off list maybe preferred - I can pass on conclusions) of what level of telemetry (or templates for logging that is most useful to others when shared) and some of the best groups for network managers to start with getting into these communities and helping out the global community.

Like we were having attempts to be used for DNS reflection amplification this morning, we only provide proper responses to customers inside our network and I am getting ready to deploy even more tightly secured servers however from recent discussions on lists I have seen peoples views that even 1:1 reflection is still popular so I added the targets to our blackhole list today so we didn’t even swamp them with rejected replies.

We already deploy as much of BCP38 we can on our network (filtering anything not our routable prefixes as source address at the border but we are yet to filter per customer to prevent internal flooding (not likely to be a major issue for us but we prefer complete protection) but always reading threads to learn more best practices to ensure we do our bit so keep the advice coming.

Thank you all

> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 	  Luck is the residue of opportunity and design.
> 		       -- John Milton
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4154 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/4af80a6e/attachment.bin>

More information about the AusNOG mailing list