<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Better peering then your actual transit, if you ask me. Cheaper cost
:P.<br>
<br>
<div class="moz-cite-prefix">On 13/02/14 16:33, Tom Paseka wrote:<br>
</div>
<blockquote
cite="mid:CAL89SgLDa9Z-6o1agMT5Amhdv_0tnhB5iAvd0q2-XUVa1PfVxw@mail.gmail.com"
type="cite">
<div dir="ltr">We (CloudFlare) regularly get hit over peering
points, including Equinix IX in Sydney, to the tune of multiple
Gbps. </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Feb 12, 2014 at 9:26 PM, Joshua
D'Alton <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:joshua@railgun.com.au" target="_blank">joshua@railgun.com.au</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Wow further to my last email, looks like a
targeted attack then. And with power too, all those hosts
have pretty hefty internet connections, well not to
mention peering!</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div>
<div class="h5">On Thu, Feb 13, 2014 at 4:23 PM, James
Braunegg <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:james.braunegg@micron21.com"
target="_blank">james.braunegg@micron21.com</a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div class="h5">
<div link="#0563C1" vlink="#954F72" lang="EN-US">
<div>
<p class="MsoNormal"><span>Dear Seamus</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Your totally
correct.. here is a list of some big
offenders we have found so far in
Australia</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>58
DEAKIN-AS-AP Deakin University (AU)
(AS7645)</span></p>
<p class="MsoNormal"><span>84
MONASHUNI-AU-AS-AP Monash University, (AU)
(AS56132)</span></p>
<p class="MsoNormal"><span>41
EFTEL-AS-AP Eftel
Limited. (AU) (AS10113)</span></p>
<p class="MsoNormal"><span>155
AARNET-AS-AP Australian Academic and
Reasearch Network (AARNet) (AU) (AS7575)</span></p>
<p class="MsoNormal"><span>69
UQ-AS-AP University of Queensland (AU)
(AS24436)</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>(The numbers are
the amount of unique IP addresses from
each AS within an attack)</span></p>
<div>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Kindest Regards</span></p>
<p class="MsoNormal"><span> </span></p>
<div>
<p class="MsoNormal">
<b><span
style="font-family:"Verdana","sans-serif"">James
Braunegg<br>
</span></b><b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">P:</span></b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">
1300 769 972 | <b>M:</b> 0488 997
207 | <b>D:</b> (03) 9751 7616</span><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif""></span></p>
<p class="MsoNormal"><b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">E:</span></b><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">
</span><span><a moz-do-not-send="true"
href="mailto:james.braunegg@micron21.com"
target="_blank"><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">james.braunegg@micron21.com</span></a></span><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif"">
| <b>ABN:</b> <a
moz-do-not-send="true"
href="tel:12%20109%20977%20666"
value="+12109977666" target="_blank">12
109 977 666</a> <br>
<b>W:</b> <a moz-do-not-send="true"
href="http://www.micron21.com/ddos-protection"
target="_blank"><span>www.micron21.com/ddos-protection</span></a>
<b>T:</b> @micron21</span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif""> </span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif""><br>
<img
src="cid:part6.08010204.03000808@apcs.com.au"
alt="Description: Description:
Description: Description: M21.jpg"
height="39" width="250" border="0"><br>
</span><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif""
lang="EN-AU">This message is intended
for the addressee named above. It may
contain privileged or confidential
information. If you are not the
intended recipient of this message you
must not use, copy, distribute or
disclose it to anyone other than the
addressee. If you have received this
message in error please return the
message to the sender by replying to
it and then delete the message from
your computer.</span><span
style="font-size:8.0pt;font-family:"Verdana","sans-serif""></span></p>
</div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<div style="border:none;border-top:solid
#b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
AusNOG [mailto:<a
moz-do-not-send="true"
href="mailto:ausnog-bounces@lists.ausnog.net"
target="_blank">ausnog-bounces@lists.ausnog.net</a>]
<b>On Behalf Of </b>Seamus Ryan<br>
<b>Sent:</b> Thursday, February 13,
2014 4:16 PM</span></p>
<div><br>
<b>To:</b> 'Sean K. Finn'; <a
moz-do-not-send="true"
href="mailto:ausnog@lists.ausnog.net"
target="_blank">ausnog@lists.ausnog.net</a><br>
</div>
<b>Subject:</b> Re: [AusNOG] NTP
Reflection coming in over Equinix IX
<p>
</p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU">It
has also been happening over NSW-IX
the last few days (targeting
cloudflare </span><span
style="font-family:Wingdings;color:#1f497d"
lang="EN-AU">J</span><span
style="color:#1f497d" lang="EN-AU"> ).</span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"><a
moz-do-not-send="true"
href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all"
target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all</a></span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"><br>
Not sure if they are NTP, but the
“big” one on Tuesday appears to have
sources like AARNET</span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"><a
moz-do-not-send="true"
href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all"
target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all</a></span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU">and
Ultraserve:</span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"><a
moz-do-not-send="true"
href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all"
target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all</a></span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU">(large
spikes line up with cloudflare’s
graph)</span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p><span style="color:#1f497d"
lang="EN-AU">-</span><span
style="font-size:7.0pt;font-family:"Times
New
Roman","serif";color:#1f497d"
lang="EN-AU"> </span><span
style="color:#1f497d" lang="EN-AU">Seamus</span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d" lang="EN-AU"> </span></p>
<div>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in
0in">
<p class="MsoNormal"><b>From:</b>
AusNOG [<a moz-do-not-send="true"
href="mailto:ausnog-bounces@lists.ausnog.net"
target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>]
<b>On Behalf Of </b>Sean K. Finn<br>
<b>Sent:</b> Thursday, 13 February
2014 3:37 PM<br>
<b>To:</b> <a
moz-do-not-send="true"
href="mailto:ausnog@lists.ausnog.net"
target="_blank">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> [AusNOG] NTP
Reflection coming in over Equinix IX</p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal">Hey All,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I never thought I’d
see the day, we’re seeing local NTP
Reflection attacks come in across
Equinix peering!</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thankfully they are
very small amounts of traffic but you
can see the traffic jump percentage
wise.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
<img
src="cid:part14.09090002.08040309@apcs.com.au"
height="210" width="596" border="0"></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal">
<span lang="EN-AU">Does anyone have any
mitigation stategies across the
Equinix IX . (Apart from obvious, i.e.
contacting the peer AS’s to asking
them to nice mitigate at their end and
pray, or droping prefix from Equinix
completely.)</span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span lang="EN-AU">PS
Anyone else on Equinix Syd if you’re
smashing outbound on NTP please check
</span><span
style="font-family:Wingdings"
lang="EN-AU">J</span><span
lang="EN-AU"></span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span lang="EN-AU">This
is the first time we’ve seen
reflection attack across peering!</span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span lang="EN-AU">What
I once considered safe harbour has now
been compromised.</span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span lang="EN-AU">Kind
Regards,</span></p>
<p class="MsoNormal"><span lang="EN-AU">Sean
Finn,</span></p>
<p class="MsoNormal"><span lang="EN-AU">Oz
Servers.</span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<div class="MsoNormal"
style="text-align:center" align="center"><span
style="font-size:12.0pt;font-family:"Times
New Roman","serif""
lang="EN-AU">
<hr style="color:#d0d3dd"
noshade="noshade" size="1"
width="100%" align="center">
</span></div>
<p class="MsoNormal"
style="text-align:center" align="center"><span
style="font-size:9.0pt;font-family:"Tahoma","sans-serif";color:silver"
lang="EN-AU">Premium Australian
Hosting Solution Specialists</span><span
style="font-size:12.0pt;font-family:"Times
New Roman","serif""
lang="EN-AU"></span></p>
<div class="MsoNormal"
style="text-align:center" align="center"><span
style="font-size:12.0pt;font-family:"Times
New Roman","serif""
lang="EN-AU">
<hr style="color:#d0d3dd"
noshade="noshade" size="1"
width="100%" align="center">
</span></div>
<table style="width:96.9%" width="96%"
border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt
.75pt">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sean
Finn, </span></b><span
style="font-size:7.0pt;font-family:"Tahoma","sans-serif"">BInfTech(NetSys)Qld.UT</span><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Oz
Servers</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
e: <a moz-do-not-send="true"
href="mailto:sean.finn@ozservers.com.au" target="_blank"><span
style="color:blue">sean.finn@ozservers.com.au</span></a><br>
<b>w: <a
moz-do-not-send="true"
href="http://www.ozservers.com.au/"
title="http://www.ozservers.com.au/" target="_blank"><span
style="color:blue">http://www.ozservers.com.au</span></a></b><br>
<b>p: 1300 13 89 69</b></span><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif"">
</span></p>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif""> </span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New
Roman","serif""> </span></p>
</td>
<td style="padding:.75pt .75pt .75pt
.75pt">
<p class="MsoNormal"
style="text-align:right"
align="right"><span
style="font-size:12.0pt;font-family:"Times
New
Roman","serif""><img
src="cid:part17.06000904.07020800@apcs.com.au" alt="ozlogo" height="70"
width="140" border="0"></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<div class="">_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>