[AusNOG] NTP Reflection coming in over Equinix IX

Dobbins, Roland rdobbins at arbor.net
Thu Feb 13 16:23:57 EST 2014


On Feb 13, 2014, at 12:05 PM, Sean K. Finn <sean.finn at ozservers.com.au> wrote:

> I’m guessing there are slightly different permutations to the NTP attack and its being refined slowly over time to identify the ever-diminishing reflection fruit.

There're ~7M abusable ntpds on the Internet right now - remediation has been proceeding much more quickly than with open DNS recursors.

>  -Another oddity:
>  
> The SOURCE IP’s were all NTP, UDP port 123.
> The RECEIVING IPs at this end were destination PORT 80, UDP.

The attacker can choose the source port on the attack-source - reflector/amplifier leg, which becomes the destination port on the reflector/amplifier leg.

Most of what we see is destined for UDP/80 - a dozen years or more ago, some miscreant noticed that there was a port assignment for HTTP over UDP/80 (never implemented, AFAIK), and started using it, thinking he was directly attacking the httpd on the target.  Most miscreants don't know much about TCP/IP, and if something works, they all copy one another.

The sad part is that most targets are so brittle, fragile, and non-scalable that just about anything will work.

Endpoint networks should enforce reasonable situationally-specific access-control policy via stateless ACLs on their edges.  This won't help if the transit link is flooded, but it will at least keep out-of-profile traffic off the targets.  ISPs should consider 'forward deployment' of these policies at the customer aggregation edge.  S/RTBH, flowspec, and/or IDMS can be used to mitigate attack traffic, but these aren't policy-enforcement mechanisms.

Yesterday, I worked an attack which was UDP/123 - UDP/123, and the attacker wasn't targeting specific servers, but rather seemingly-random unused IPs on the target network.  The inference is that this attacker is a bit more clueful than most, knows that a lot of ntp implementations use UDP/123 - UDP/123 (as opposed to an ephemeral port on the querying side), and that his goal was to fill up the last-km transit link.

The recommended solution in the above case was a combination of S/RTBH plus whitelisting of any external ntpds used by the target organization, and then blocking all UDP/123 source traffic to the target network, plus dropping non-initial fragments towards non-utilized IP addresses on the target network (this particular operator didn't yet have flowspec or IDMS up and running) for the specific targeted network, implemented via ACLs on the coreward interfaces of the customer aggregation gateway.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton



More information about the AusNOG mailing list