[AusNOG] Stopping unwanted random NTP traffic

Andrew Tschudi andrewtschudi at gmail.com
Wed Apr 23 17:38:58 EST 2014 

Great information you have provided, the attacks have subsided since last
week but has illustrated how venerable our upstream network is.

Andrew



On Wed, Apr 16, 2014 at 10:59 AM, James Braunegg <
james.braunegg at micron21.com> wrote:

> Dear Andrew
>
>
>
> In short as long as your running BGP along with your own AS we can protect
> your network for free as part of our AusNOG trial.
>
>
>
> Being single homed we would create a GRE tunnel (Between our domestic and
> international networks) directly to your router via your current upstream
> provider which allows us to advertise your IP ranges and essentially become
> an on demand second upstream provider for your network.
>
>
>
> Downside to a GRE is you still only have one upstream provider, and if
> your upstream interface gets targeted directly this can stop the GRE tunnel
> from being established, which can get tricky to mitigate.
>
>
>
> As for preventing your network connection from becoming saturated it is
> all about timing and getting real time information from your network which
> can be done manually or automatically.
>
>
>
> Automatically you can send netflow/sflow/jflow or even SNMP information
> from your routers to our DDoS Mitigation platform which can inspect these
> flows continuously looking for attack traffic and automatically re
> advertise more specifically the affected IP ranges across our network
> (Soak) which would then allow us to inspect the traffic and separate the
> good traffic from the bad (Scrub) where we then transparently forward this
> traffic back to your network via the established GRE tunnel.
>
>
>
> Manually you would want to establish as quickly as possible what IP ranges
> are being targeted and then via BGP more specifically advertise the
> affected ranges onto our network which would relieve the stress on your
> network which we would then allow us to Soak and Scrub your traffic and
> return it via the established GRE tunnel.
>
>
>
> I have to admit however a GRE tunnel is not as nice as being directly
> connected (ie a direct physical cross connection or say a Megaport VCX
> virtual cross connection) which gives you a lot more flexibility,
> alternatively using a connection less likely to be affected with attack
> traffic ie PIPE IX or IX peering also works extremely well.
>
>
>
> I believe DDoS Mitigation is not a “on / off” type of service you really
> need to evaluate the entire network which needs protection and brainstorm
> the best way to protect it !
>
>
>
> Hope this answers your questions
>
>
>
> Kindest Regards
>
>
>
>
>
>
> *James Braunegg**P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03)
> 9751 7616
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
> *W:*  www.micron21.com/ddos-protection   *T:* @micron21
>
>
>
>
> [image: Description: Description: Description: Description: M21.jpg]
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.
>
>
>
> *From:* Andrew Tschudi [mailto:andrewtschudi at gmail.com]
> *Sent:* Wednesday, April 16, 2014 9:49 AM
> *To:* James Braunegg
> *Cc:* Mark Tees; John Wooler; ausnog at ausnog.net
> *Subject:* Re: [AusNOG] Stopping unwanted random NTP traffic
>
>
>
> James thanks for the information on NTP attacks very interesting
> informative. With your free DDoS protection can you protect a remote
> network which is single homed and how do you get around the issue of our
> uplink connection being saturated.
>
>
>
> Andrew
>
>
>
> On Tue, Apr 15, 2014 at 5:21 PM, James Braunegg <
> james.braunegg at micron21.com> wrote:
>
> Dear All
>
>
>
> Thanks for the great feedback and comments. Our team has been having lots
> of fun helping Australian networks mitigate DDoS attacks over the last few
> months. In fact - in case you did not know - AusNOG members (everyone
> reading this) has access to our services for free via a trial period. If
> you’re interested please let me know. Furthermore, I'll be presenting all
> the results and information specifically with reference to DDoS attacks
> within Australia at AusNOG this year in September.
>
>
>
> I’ve also written a small blog article on NTP attacks which can be found
> here: http://www.micron21.com/ddos-ntp.php which explains some ways we to
> provide protection against inbound requests towards your network.  This
> information has been co-compiled by Roland Dobbins and me.
>
>
>
> Kindest Regards
>
>
>
>
>
>
> *James Braunegg**P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03)
> 9751 7616
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
> *W:*  www.micron21.com/ddos-protection   *T:* @micron21
>
>
>
>
> [image: Description: Description: Description: Description: M21.jpg]
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.
>
>
>
>
>
>
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark
> Tees
> Sent: Tuesday, April 15, 2014 4:16 PM
> To: John Wooler
> Cc: ausnog at ausnog.net
> Subject: Re: [AusNOG] Stopping unwanted random NTP traffic
>
>
>
> +1 For Micron21. Service works as advertised and their staff have been
> very helpful in every aspect. Bonus points for getting access to the attack
> monitoring platform and flow data interface.
>
>
>
> On 15 Apr 2014, at 4:00 pm, John Wooler <john.wooler at exigent.com.au>
> wrote:
>
>
>
> > Hi Andrew
>
> >
>
> > My personal recommendation and professional recommendation would
> honestly be Micron21 (based in Melbourne).
>
> >
>
> > Over the past month or 2 we have been using them for DDoS protection on
> our network in Melbourne, Brisbane & Sydney over the Megaport VCX service
> and by far these guys have hit the nail on the coffin when it comes to this
> sort of network protection.  We’ve actually seen a number of DDoS attacks
> coming in on NTP ourselves, DNS attacks, random attacks on port 80 etc and
> these guys mitigate any type of attack when it comes to this type of stuff.
>
> >
>
> > There’s a few good points to list
>
> > -          All traffic stays here in Australia so no re-routing traffic
> to America or elsewhere around the globe….  This helps with not having to
> add latency for your end clients to experience & complain about.
>
> > -          Once an attack starts, they’re quick on the ball to detect it
> and alert you of the attack + monitor it as well.
>
> > -          They have the capacity to handle large attacks.
>
> > -          They own the equipment and have in-house certified engineers
> who know what they’re doing and always willing to help out in anyway.
>
> >
>
> > We’re using them and we’re going to continue using them for a very long
> time to come (probably forever to be real honest) and I couldn’t recommend
> them enough.
>
> >
>
> > Check out their DDoS site as well.
>
> > http://www.micron21.com/ddos-protection.php
>
> >
>
> >
>
> > Kindest Regards,
>
> >
>
> > John Wooler
>
> > Exigent Enterprise
>
> >
>
> > From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
> Andrew Tschudi
>
> > Sent: Tuesday, 15 April 2014 2:09 PM
>
> > To: ausnog at ausnog.net
>
> > Subject: [AusNOG] Stopping unwanted random NTP traffic
>
> >
>
> > We have been receiving unwanted inbound NTP traffic towards multiple
> different servers within our network. This has been creating days of pain
> and after liaising with our upstream provider it turns out that they have
> no BGP communities. Had they had BGP Communities, this would then allow me
> to block the traffic from reaching my routers, which are continuously being
> flooded. I figure, it’s now time for me to attempt to source some external
> help.
>
> >
>
> > Can anyone on provide any recommendations for sourcing professional
> services that would be trusted in advising the best way to protect and
> secure our network?
>
> >
>
> > Andrew
>
> > _______________________________________________
>
> > AusNOG mailing list
>
> > AusNOG at lists.ausnog.net
>
> > http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
>
> AusNOG mailing list
>
> AusNOG at lists.ausnog.net
>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140423/a01edc9c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140423/a01edc9c/attachment.jpg>

More information about the AusNOG mailing list