<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText>Dear Roland<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>In our hands in the wild we have seen the inbound request packet being 50 bytes in length.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Have a read here for more information - <a href="http://www.micron21.com/ddos-ntp">http://www.micron21.com/ddos-ntp</a> would value your input on the wire shark capture which is "wild" attack traffic.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Kindest Regards <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoNormal><b><span style='font-family:"Verdana","sans-serif";color:black'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>P:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> </span><span style='color:black'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> | <b>ABN:</b> 12 109 977 666 <br><b>W:</b> <a href="http://www.micron21.com/ddos-protection"><span style='color:black'>www.micron21.com/ddos-protection</span></a> <b>T:</b> @micron21<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><br><img border=0 width=250 height=39 id="Picture_x0020_1" src="cid:image001.jpg@01CF2974.913BBC30" alt="Description: Description: Description: Description: M21.jpg"><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoPlainText>-----Original Message-----<br>From: AusNOG [mailto:ausnog-bounces@lists.ausnog.net] On Behalf Of Dobbins, Roland<br>Sent: Friday, February 14, 2014 1:23 AM<br>To: ausnog@lists.ausnog.net<br>Subject: Re: [AusNOG] NTP Reflection coming in over Equinix IX<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On Feb 13, 2014, at 11:51 AM, James Braunegg <<a href="mailto:james.braunegg@micron21.com"><span style='color:windowtext;text-decoration:none'>james.braunegg@micron21.com</span></a>> wrote:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>> If you can filter on packet size you should find the attack request for the inbound NTP request is 50bytes in size, i<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>FWIW, regular ntp sync requests and responses are ~90 bytes in size on an Ethernet network (i.e., a bit of framing overhead, plus IP and UDP); non-sync requests (i.e., monlist, et. al.) seem to be ~234 bytes in size on Ethernet networks, with the responses of course being much larger.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>You have to be careful when filtering with ACLs or flowspec on the reflector/amplifier - target leg of the attack, because the bulk of the attack payload is non-initial UDP fragments, and you have to have some understanding of what apps/services the attack target is running/using in order to figure out how to deal with that.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>One way to do it is to permit all UDP/53-sourced traffic to the target, drop all UDP/123 larger than, say, 200 bytes (just to give a bit of overhead), and then to drop UDP non-initial fragments to the target. The potential problem with this is breaking large, fragmented EDNS0/DNSSEC responses, and/or any other UDP apps/services in use by the target which utilize large UDP messages which may well be fragmented.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>For a lot of targets, that won't matter, as they aren't directly accessing DNS servers across the public Internet (they're using local recursors, for example, which aren't targeted in the attack and are southbound of the mitigation filtering), or other UDP stuff which uses large, potentially-fragmented UDP messages. But for some, it will matter, and so that's why knowledge of the target details is necessary in order to figure out how to provide the best possible partial service recovery quotient during an attack.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Filtering UDP/123-destined packets of ~234 bytes in length (the source ports are generally ephemeral, as these commands are actually generated by non-privileged client utilities like ntpdc and ntpq) is one way to prevent level-6/-7 commands used to stimulate reflection/amplification on the attack-source - reflector/amplifier leg of the attack from ever reaching the reflectors/amplifiers.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----------------------------------------------------------------------<o:p></o:p></p><p class=MsoPlainText>Roland Dobbins <<a href="mailto:rdobbins@arbor.net"><span style='color:windowtext;text-decoration:none'>rdobbins@arbor.net</span></a>> // <<a href="http://www.arbornetworks.com"><span style='color:windowtext;text-decoration:none'>http://www.arbornetworks.com</span></a>><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> Luck is the residue of opportunity and design.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> -- John Milton<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>_______________________________________________<o:p></o:p></p><p class=MsoPlainText>AusNOG mailing list<o:p></o:p></p><p class=MsoPlainText><a href="mailto:AusNOG@lists.ausnog.net"><span style='color:windowtext;text-decoration:none'>AusNOG@lists.ausnog.net</span></a><o:p></o:p></p><p class=MsoPlainText><a href="http://lists.ausnog.net/mailman/listinfo/ausnog"><span style='color:windowtext;text-decoration:none'>http://lists.ausnog.net/mailman/listinfo/ausnog</span></a><o:p></o:p></p></div></body></html>