<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html>
<head>
 <meta http-equiv='Content-Type' content='text/html;charset=UTF-8'>
 <style>BODY{font:10pt Tahoma, Verdana, sans-serif;}</style>
</head>
<body>
Can you get the source MAC address(s)? The ARP cache should then tell you which peers.<br><br>Cheers.<br>Mitchell<br><br><blockquote style="padding-left: 5px; margin-left: 5px; border-left: #0000ff 2px solid; margin-right: 0px"><hr><b>From:</b> Sean K. Finn [mailto:sean.finn@ozservers.com.au]<br><b>To:</b> ausnog@lists.ausnog.net [mailto:ausnog@lists.ausnog.net]<br><b>Sent:</b> Thu, 13 Feb 2014 15:37:21 +1100<br><b>Subject:</b> [AusNOG] NTP Reflection coming in over Equinix IX<br><br><div class="WordSection1"><p class="MsoNormal">Hey All,</p><p class="MsoNormal"> </p><p class="MsoNormal">I never thought I’d see the day, we’re seeing local NTP Reflection attacks come in across Equinix peering!</p><p class="MsoNormal"> </p><p class="MsoNormal">Thankfully they are very small amounts of traffic but you can see the traffic jump percentage wise.</p><p class="MsoNormal"> </p><p class="MsoNormal"><img id="Picture_x0020_1" src="cid:image001.png@01CF28C9.B58F03E0" height="210" width="596"></p><p class="MsoNormal"> </p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span>Does anyone have any mitigation stategies across the Equinix IX . (Apart from obvious, i.e. contacting the peer AS’s to asking them to nice mitigate at their end and pray, or droping prefix from Equinix completely.)</span></p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span>PS Anyone else on Equinix Syd if you’re smashing outbound on NTP please check </span><span style="font-family:Wingdings">J</span><span></span></p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span>This is the first time we’ve seen reflection attack across peering!</span></p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span>What I once considered safe harbour has now been compromised.</span></p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span>Kind Regards,</span></p><p class="MsoNormal"><span>Sean Finn,</span></p><p class="MsoNormal"><span>Oz Servers.</span></p><p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span> </span></p><div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><hr style="color:#D0D3DD" align="center" size="1" width="100%"></span></div><p class="MsoNormal" style="text-align:center" align="center"><span style="font-size:9.0pt;font-family:"Tahoma","sans-serif";color:silver">Premium Australian Hosting Solution Specialists</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""></span></p><div class="MsoNormal" style="text-align:center" align="center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><hr style="color:#D0D3DD" align="center" size="1" width="100%"></span></div><table class="MsoNormalTable" style="width:96.9%" border="0" cellpadding="0" width="96%"><tbody><tr><td style="padding:.75pt .75pt .75pt .75pt"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sean Finn, </span></b><span style="font-size:7.0pt;font-family:"Tahoma","sans-serif"">BInfTech(NetSys)Qld.UT</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Oz Servers</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>e: <a href="mailto:sean.finn@ozservers.com.au"><span style="color:blue">sean.finn@ozservers.com.au</span></a><br><b>w: <a href="http://www.ozservers.com.au/" title="http://www.ozservers.com.au/"><span style="color:blue">http://www.ozservers.com.au</span></a></b><br><b>p: 1300 13 89 69</b></span><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif""> </span></p><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif""> </span></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""> </span></p></td><td style="padding:.75pt .75pt .75pt .75pt"><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:right" align="right"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><img id="Picture_x005f_x005f_x005f_x0020_2" src="cid:image002.gif@01CF28C9.B58F03E0" alt="ozlogo" border="0" height="70" width="140"></span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""></span></p></td></tr></tbody></table><p class="MsoNormal"> </p></div></blockquote><style>
 @font-face {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}
 p.MsoNormal,li.MsoNormal,div.MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri","sans-serif";}
 a:link,span.MsoHyperlink {mso-style-priority:99;color:#0563C1;text-decoration:underline;}
 a:visited,span.MsoHyperlinkFollowed {mso-style-priority:99;color:#954F72;text-decoration:underline;}
 span.EmailStyle17 {mso-style-type:personal-compose;font-family:"Calibri","sans-serif";color:windowtext;}
 .MsoChpDefault {mso-style-type:export-only;font-family:"Calibri","sans-serif";}
 @page WordSection1 {size:8.5in 11.0in;margin:1.0in 1.0in 1.0in 1.0in;}
 div.WordSection1 {page:WordSection1;}
</style>
</body></html>