<div dir="ltr">Wow further to my last email, looks like a targeted attack then. And with power too, all those hosts have pretty hefty internet connections, well not to mention peering!</div><div class="gmail_extra"><br><br>
<div class="gmail_quote">On Thu, Feb 13, 2014 at 4:23 PM, James Braunegg <span dir="ltr"><<a href="mailto:james.braunegg@micron21.com" target="_blank">james.braunegg@micron21.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal"><span style>Dear Seamus<u></u><u></u></span></p><p class="MsoNormal"><span style><u></u> <u></u></span></p><p class="MsoNormal"><span style>Your totally correct.. here is a list of some big offenders we have found so far in Australia<u></u><u></u></span></p>
<p class="MsoNormal"><span style><u></u> <u></u></span></p><p class="MsoNormal"><span style>58                     DEAKIN-AS-AP Deakin University (AU) (AS7645)<u></u><u></u></span></p><p class="MsoNormal"><span style>84                     MONASHUNI-AU-AS-AP Monash University, (AU) (AS56132)<u></u><u></u></span></p>
<p class="MsoNormal"><span style>41                     EFTEL-AS-AP Eftel Limited. (AU) (AS10113)<u></u><u></u></span></p><p class="MsoNormal"><span style>155                   AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) (AU) (AS7575)<u></u><u></u></span></p>
<p class="MsoNormal"><span style>69                     UQ-AS-AP University of Queensland (AU) (AS24436)<u></u><u></u></span></p><p class="MsoNormal"><span style><u></u> <u></u></span></p><p class="MsoNormal"><span style>(The numbers are the amount of unique IP addresses from each AS within an attack)<u></u><u></u></span></p>
<div class=""><p class="MsoNormal"><span style><u></u> <u></u></span></p><p class="MsoNormal"><span style>Kindest Regards<u></u><u></u></span></p><p class="MsoNormal"><span style><u></u> <u></u></span></p><div><p class="MsoNormal">
<b><span style="font-family:"Verdana","sans-serif"">James Braunegg<br></span></b><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">P:</span></b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">  1300 769 972  |  <b>M:</b>  0488 997 207 |  <b>D:</b>  (03) 9751 7616</span><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">E:</span></b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">   </span><span style><a href="mailto:james.braunegg@micron21.com" target="_blank"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">james.braunegg@micron21.com</span></a></span><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">  |  <b>ABN:</b>  <a href="tel:12%20109%20977%20666" value="+12109977666" target="_blank">12 109 977 666</a>   <br>
<b>W:</b>  <a href="http://www.micron21.com/ddos-protection" target="_blank"><span style>www.micron21.com/ddos-protection</span></a>   <b>T:</b> @micron21<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><br><img border="0" width="250" height="39" src="cid:image003.jpg@01CF28D7.E43238D0" alt="Description: Description: Description: Description: M21.jpg"><br>
</span><span lang="EN-AU" style="font-size:8.0pt;font-family:"Verdana","sans-serif"">This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><u></u><u></u></span></p>
</div><p class="MsoNormal"><span style><u></u> <u></u></span></p></div><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>] <b>On Behalf Of </b>Seamus Ryan<br>
<b>Sent:</b> Thursday, February 13, 2014 4:16 PM</span></p><div class=""><br><b>To:</b> 'Sean K. Finn'; <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br></div><b>Subject:</b> Re: [AusNOG] NTP Reflection coming in over Equinix IX<u></u><u></u><p>
</p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">It has also been happening over NSW-IX the last few days (targeting cloudflare </span><span lang="EN-AU" style="font-family:Wingdings;color:#1f497d">J</span><span lang="EN-AU" style="color:#1f497d"> ).<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all" target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><br>Not sure if they are NTP, but the “big” one on Tuesday appears to have sources like AARNET<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all" target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">and Ultraserve:<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all" target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d">(large spikes line up with cloudflare’s graph)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p><p><span lang="EN-AU" style="color:#1f497d">-</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1f497d">          </span><span lang="EN-AU" style="color:#1f497d">Seamus<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU" style="color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> AusNOG [<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>] <b>On Behalf Of </b>Sean K. Finn<br><b>Sent:</b> Thursday, 13 February 2014 3:37 PM<br>
<b>To:</b> <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br><b>Subject:</b> [AusNOG] NTP Reflection coming in over Equinix IX<u></u><u></u></p></div></div><p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p>
<p class="MsoNormal">Hey All,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I never thought I’d see the day, we’re seeing local NTP Reflection attacks come in across Equinix peering!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thankfully they are very small amounts of traffic but you can see the traffic jump percentage wise.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">
<img border="0" width="596" height="210" src="cid:image004.png@01CF28D7.E43238D0"><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><p class="MsoNormal">
<span lang="EN-AU">Does anyone have any mitigation stategies across the Equinix IX . (Apart from obvious, i.e. contacting the peer AS’s to asking them to nice mitigate at their end and pray, or droping prefix from Equinix completely.)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU">PS Anyone else on Equinix Syd if you’re smashing outbound on NTP please check </span><span lang="EN-AU" style="font-family:Wingdings">J</span><span lang="EN-AU"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU">This is the first time we’ve seen reflection attack across peering!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU">What I once considered safe harbour has now been compromised.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU">Kind Regards,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU">Sean Finn,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-AU">Oz Servers.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-AU"><u></u> <u></u></span></p><div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-AU" style="font-size:12.0pt;font-family:"Times New Roman","serif""><hr size="1" width="100%" noshade style="color:#d0d3dd" align="center">
</span></div><p class="MsoNormal" align="center" style="text-align:center"><span lang="EN-AU" style="font-size:9.0pt;font-family:"Tahoma","sans-serif";color:silver">Premium Australian Hosting Solution Specialists</span><span lang="EN-AU" style="font-size:12.0pt;font-family:"Times New Roman","serif""><u></u><u></u></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-AU" style="font-size:12.0pt;font-family:"Times New Roman","serif""><hr size="1" width="100%" noshade style="color:#d0d3dd" align="center">
</span></div><table border="0" cellpadding="0" width="96%" style="width:96.9%"><tbody><tr><td style="padding:.75pt .75pt .75pt .75pt"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sean Finn, </span></b><span style="font-size:7.0pt;font-family:"Tahoma","sans-serif"">BInfTech(NetSys)Qld.UT</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Oz Servers</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>e: <a href="mailto:sean.finn@ozservers.com.au" target="_blank"><span style="color:blue">sean.finn@ozservers.com.au</span></a><br>
<b>w: <a href="http://www.ozservers.com.au/" title="http://www.ozservers.com.au/" target="_blank"><span style="color:blue">http://www.ozservers.com.au</span></a></b><br><b>p: 1300 13 89 69</b></span><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif""> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><u></u> <u></u></span></p>
</td><td style="padding:.75pt .75pt .75pt .75pt"><p class="MsoNormal" align="right" style="text-align:right"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><img border="0" width="140" height="70" src="cid:image005.gif@01CF28D7.E43238D0" alt="ozlogo"><u></u><u></u></span></p>
</td></tr></tbody></table><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>