[AusNOG] NTP reflection used for world's largest DDoS
Joe Saxton
Joe.Saxton at workforce.com.au
Wed Feb 12 16:27:26 EST 2014
Possible reason for the attack?
https://thedaywefightback.org/international/
-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Jeremy Begg
Sent: Wednesday, 12 February 2014 4:04 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] NTP reflection used for world's largest DDoS
>My ESX servers seemed to have NTP open by default too.
I think you'll find an awful lot of servers have NTP on by default, or the system adminisrator has turned it on without understanding the need for any security around it. (I'm guilty of that.)
In my case the fix was very simple: a kernel-level packet filter which blocks all NTP traffic except for specified hosts and networks. The requests still come on to the network but they don't result in any responses.
Regards,
Jeremy Begg
+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: jeremy at vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+
>On 12/02/14 15:15, Nathan Brookfield wrote:
>>
>> We've had some customers boxes through UECOMM IP transit compromised
>> this morning, only small links but they're certainly going hard. A
>> few clients run Zimbra which is VMWare's mail server and it appears
>> to have NTP open by default.
>>
>> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
>> *Joshua D'Alton
>> *Sent:* Wednesday, 12 February 2014 3:03 PM
>> *Cc:* ausnog at lists.ausnog.net
>> *Subject:* Re: [AusNOG] NTP reflection used for world's largest DDoS
>>
>> And looks like another one is running, level3 seems totally decimated
>> at the moment, 100ms+ on usual routes.
>>
>> On Tue, Feb 11, 2014 at 2:51 PM, Daniel Watson <daniel at glovine.com.au
>> <mailto:daniel at glovine.com.au>> wrote:
>>
>> http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-e
>> urope.aspx
>>
>> What is the world coming too.
>>
>> D.
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
__________________________________________________________________________________________
Note:
This message is for the named person's use only. It may contain confidential,
proprietary or legally privileged information. No confidentiality or privilege
is waived or lost by any mistransmission. If you receive this message in error,
please immediately delete it and all copies of it from your system, destroy any
hard copies of it and notify the sender. You must not, directly or indirectly,
use, disclose, distribute, print, or copy any part of this message if you are not
the intended recipient. Worforce International Pty Ltd and any of its subsidiaries each reserve
the right to monitor all e-mail communications through its networks.
Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorized to state them to be the
views of any such entity.
__________________________________________________________________________________________
More information about the AusNOG
mailing list