[AusNOG] Stopping unwanted random NTP traffic

Chris Chaundy chris.chaundy at gmail.com
Wed Apr 16 11:02:12 EST 2014 

There are two aspects to the NTP DDoS attacks - the 'open' NTP servers
being used as reflector/amplifiers and the real target address that is
being hit - this can be any host (not necessarily an NTP server).


On Wed, Apr 16, 2014 at 10:57 AM, Andrew Tschudi <andrewtschudi at gmail.com>wrote:

> Thanks Lindsay we only have one fiber provider in our building, with no
> other options.
>
> I am considering IP transit from another provider and using our fiber
> provider as back haul but we are still in contract and not sure if i can
> change this.
>
> Andrew
>
>
> On Wed, Apr 16, 2014 at 10:32 AM, Lindsay Hill <lindsay.k.hill at gmail.com>wrote:
>
>> You probably need to think about changing your upstream provider, if they
>> can't help deal with this - either by them mitigating traffic, or by giving
>> your RTBH capabilities.
>>
>>
>> On Wed, Apr 16, 2014 at 12:24 PM, Andrew Tschudi <andrewtschudi at gmail.com
>> > wrote:
>>
>>> The problem is our upstream provider could not help us stop the traffic
>>> and we ran out of network capacity. Engineering said they can look at
>>> blocking the traffic as part of a special project which might take 6 weeks.
>>>
>>> Andrew
>>>
>>>
>>>
>>> On Wed, Apr 16, 2014 at 10:15 AM, Dobbins, Roland <rdobbins at arbor.net>wrote:
>>>
>>>>
>>>> On Apr 16, 2014, at 7:13 AM, Andrew Tschudi <andrewtschudi at gmail.com>
>>>> wrote:
>>>>
>>>> > We were the target of the attacks and have no open NTP servers on our
>>>> network.
>>>>
>>>> Gotcha.
>>>>
>>>> In that case, you can use QoS to police down non-76-byte UDP/123
>>>> traffic to 1mb/sec in aggregate or thereabouts, and ask your upstream
>>>> transit(s) to do the same on their side of the link(s).
>>>>
>>>> -----------------------------------------------------------------------
>>>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>>>
>>>>           Luck is the residue of opportunity and design.
>>>>
>>>>                        -- John Milton
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140416/808ef3c5/attachment.html>

More information about the AusNOG mailing list