[AusNOG] NTP Reflection coming in over Equinix IX

Thu Feb 13 16:25:05 EST 2014

With all this domestic (heh NZ) traffic being used, is this looking like a
specifically targeted AU attack, or are we seeing global hosts as well (but
being blocked overshore)?

On Thu, Feb 13, 2014 at 4:22 PM, Zone Networks - Joel <
joel at zonenetworks.com.au> wrote:

> Hi Guys
>
>
>
> Our gaming network is seeing inbound traffic across, eqx ix, pipe ix and
> vocus, all domestic traffic if you include NZ as domestic J
>
>
>
> So a lot of ntp still open in aus/nz
>
>
>
> Regards
>
> Joel
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of *Sean
> K. Finn
> *Sent:* Thursday, 13 February 2014 4:05 PM
> *To:* 'James Braunegg'; ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] NTP Reflection coming in over Equinix IX
>
>
>
> G'day James,
>
>
>
> Firstly thank you for sharing.
>
>
>
> We've had in the order of 100-200 hosts being reflectors in the past few
> weeks launching outbound, however this is the first time we've been on the
> receiving end of an NTP.
>
>
>
> What makes this stand out from the every-day DDOS is there were many, many
> hosts coming in across peering.
>
>
>
> We're dropping the ntp traffic at the firewalls internally, it's not
> causing an issue once it gets to us, more of a curiosity that so many
> Australian connected peers are still reflecting, and importantly haven't
> yet been exploited or cleaned up.
>
>
> Thankfully we've been able to clean up the hosts on our network one by one
> as they launch attacks outbound. (Much like in years past when DNS
> amplification was all the rage).
>
>
>
> We've noticed a few older ESXi hosts have ntp enabled by default and are
> susceptible as well, these boxes only started participating in outbound
> attacks within the last two weeks though, as well as Junipers reflecting.
>
>
>
> Prior to that it was mainly older linux hosts.
>
>
>
> I'm guessing there are slightly different permutations to the NTP attack
> and its being refined slowly over time to identify the ever-diminishing
> reflection fruit.
>
>
>
> -Another oddity:
>
>
>
> The SOURCE IP's were all NTP, UDP port 123.
>
> The RECEIVING IPs at this end were destination PORT 80, UDP.
>
>
>
> iknowrite.
>
>
>
> Sean.
>
>
>
>
>
>
>
> *From:* James Braunegg [mailto:james.braunegg at micron21.com<james.braunegg at micron21.com>]
>
> *Sent:* Thursday, February 13, 2014 2:52 PM
> *To:* Sean K. Finn; ausnog at lists.ausnog.net
> *Subject:* RE: NTP Reflection coming in over Equinix IX
>
>
>
> Dear Sean
>
>
>
> If you can filter on packet size you should find the attack request for
> the inbound NTP request is 50bytes in size, if you can drop this inbound
> request via pattern matching this will stop the request attack traffic in
> its place from reaching anything downstream !
>
>
>
> It also is important to understand if you are being targeted by a NTP
> attack or do you have hosts within your network precipitating in an attack.
>
>
>
> If you need any help just ask !
>
>
>
> Kindest Regards
>
>
>
>
>
>
> *James Braunegg**P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03)
> 9751 7616
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
> *W:*  www.micron21.com/ddos-protection   *T:* @micron21
>
>
>
>
> [image: Description: Description: Description: Description: M21.jpg]
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net<ausnog-bounces at lists.ausnog.net>]
> *On Behalf Of *Sean K. Finn
> *Sent:* Thursday, February 13, 2014 3:37 PM
> *To:* ausnog at lists.ausnog.net
> *Subject:* [AusNOG] NTP Reflection coming in over Equinix IX
>
>
>
> Hey All,
>
>
>
> I never thought I'd see the day, we're seeing local NTP Reflection attacks
> come in across Equinix peering!
>
>
>
> Thankfully they are very small amounts of traffic but you can see the
> traffic jump percentage wise.
>
>
>
> [image: cid:image002.png at 01CF28CC.B4ED8C60]
>
>
>
>
>
> Does anyone have any mitigation stategies across the Equinix IX . (Apart
> from obvious, i.e. contacting the peer AS's to asking them to nice mitigate
> at their end and pray, or droping prefix from Equinix completely.)
>
>
>
> PS Anyone else on Equinix Syd if you're smashing outbound on NTP please
> check J
>
>
>
>
>
> This is the first time we've seen reflection attack across peering!
>
>
>
> What I once considered safe harbour has now been compromised.
>
>
>
> Kind Regards,
>
> Sean Finn,
>
> Oz Servers.
>
>
>
>
> ------------------------------
>
> Premium Australian Hosting Solution Specialists
> ------------------------------
>
> *Sean Finn, *BInfTech(NetSys)Qld.UT
>
> *Oz Servers*
> e: sean.finn at ozservers.com.au
> *w: **http://www.ozservers.com.au* <http://www.ozservers.com.au/>
> *p: 1300 13 89 69*
>
>
>
>
>
> [image: ozlogo]
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/1560f947/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23838 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/1560f947/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 2556 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/1560f947/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/1560f947/attachment-0001.jpg>