<div dir="ltr">Seamus means <a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=90&rra_id=all">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=90&rra_id=all</a>  (cloudflare's traffic) for the first link I think, copy paste fail :)</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 4:15 PM, Seamus Ryan <span dir="ltr"><<a href="mailto:s.ryan@uber.com.au" target="_blank">s.ryan@uber.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">






<div lang="EN-AU" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span style="color:#1f497d">It has also been happening over NSW-IX the last few days (targeting cloudflare
</span><span style="font-family:Wingdings;color:#1f497d">J</span><span style="color:#1f497d"> ).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all" target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="color:#1f497d"><br>
Not sure if they are NTP, but the “big” one on Tuesday appears to have sources like AARNET<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all" target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">and Ultraserve:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><a href="http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all" target="_blank">http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">(large spikes line up with cloudflare’s graph)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p><u></u><span style="color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">         
</span></span></span><u></u><span style="color:#1f497d">Seamus<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>]
<b>On Behalf Of </b>Sean K. Finn<br>
<b>Sent:</b> Thursday, 13 February 2014 3:37 PM</span></p><div class=""><br>
<b>To:</b> <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> [AusNOG] NTP Reflection coming in over Equinix IX<u></u><u></u></div><p></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">Hey All,<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I never thought I’d see the day, we’re seeing local NTP Reflection attacks come in across Equinix peering!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Thankfully they are very small amounts of traffic but you can see the traffic jump percentage wise.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><img border="0" width="596" height="210" src="cid:image001.png@01CF28D6.2DA1BB00"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Does anyone have any mitigation stategies across the Equinix IX . (Apart from obvious, i.e. contacting the peer AS’s to asking them to nice mitigate at their end and pray, or droping prefix from Equinix completely.)<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">PS Anyone else on Equinix Syd if you’re smashing outbound on NTP please check
<span style="font-family:Wingdings">J</span><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">This is the first time we’ve seen reflection attack across peering!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">What I once considered safe harbour has now been compromised.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Kind Regards,<u></u><u></u></p>
<p class="MsoNormal">Sean Finn,<u></u><u></u></p>
<p class="MsoNormal">Oz Servers.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<hr size="1" width="100%" noshade style="color:#d0d3dd" align="center">
</span></div>
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:9.0pt;font-family:"Tahoma","sans-serif";color:silver">Premium Australian Hosting Solution Specialists</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><u></u><u></u></span></p>

<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<hr size="1" width="100%" noshade style="color:#d0d3dd" align="center">
</span></div>
<table border="0" cellpadding="0" width="96%" style="width:96.9%">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sean Finn,
</span></b><span style="font-size:7.0pt;font-family:"Tahoma","sans-serif"">BInfTech(NetSys)Qld.UT</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><u></u><u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Oz Servers</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
e: <a href="mailto:sean.finn@ozservers.com.au" target="_blank"><span style="color:blue">sean.finn@ozservers.com.au</span></a><br>
<b>w: <a href="http://www.ozservers.com.au/" title="http://www.ozservers.com.au/" target="_blank">
<span style="color:blue">http://www.ozservers.com.au</span></a></b><br>
<b>p: 1300 13 89 69</b></span><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif"">
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><u></u> <u></u></span></p>
</td>
<td style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal" align="right" style="text-align:right">
<span style="font-size:12.0pt;font-family:"Times New Roman","serif""><img border="0" width="140" height="70" src="cid:image002.gif@01CF28D6.2DA1BB00" alt="ozlogo"><u></u><u></u></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
</div></div></div>
</div>

<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br></div>