[AusNOG] NTP Reflection coming in over Equinix IX

Joshua D'Alton joshua at railgun.com.au
Thu Feb 13 16:26:48 EST 2014


Wow further to my last email, looks like a targeted attack then. And with
power too, all those hosts have pretty hefty internet connections, well not
to mention peering!


On Thu, Feb 13, 2014 at 4:23 PM, James Braunegg <james.braunegg at micron21.com
> wrote:

> Dear Seamus
>
>
>
> Your totally correct.. here is a list of some big offenders we have found
> so far in Australia
>
>
>
> 58                     DEAKIN-AS-AP Deakin University (AU) (AS7645)
>
> 84                     MONASHUNI-AU-AS-AP Monash University, (AU) (AS56132)
>
> 41                     EFTEL-AS-AP Eftel Limited. (AU) (AS10113)
>
> 155                   AARNET-AS-AP Australian Academic and Reasearch
> Network (AARNet) (AU) (AS7575)
>
> 69                     UQ-AS-AP University of Queensland (AU) (AS24436)
>
>
>
> (The numbers are the amount of unique IP addresses from each AS within an
> attack)
>
>
>
> Kindest Regards
>
>
>
>
> *James Braunegg**P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03)
> 9751 7616
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
> *W:*  www.micron21.com/ddos-protection   *T:* @micron21
>
>
>
>
> [image: Description: Description: Description: Description: M21.jpg]
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of *Seamus
> Ryan
> *Sent:* Thursday, February 13, 2014 4:16 PM
>
> *To:* 'Sean K. Finn'; ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] NTP Reflection coming in over Equinix IX
>
>
>
> It has also been happening over NSW-IX the last few days (targeting
> cloudflare J ).
>
>
>
> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>
>
> Not sure if they are NTP, but the "big" one on Tuesday appears to have
> sources like AARNET
>
>
>
> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>
>
>
> and Ultraserve:
>
>
>
> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all
>
>
>
> (large spikes line up with cloudflare's graph)
>
>
>
> -          Seamus
>
>
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net<ausnog-bounces at lists.ausnog.net>]
> *On Behalf Of *Sean K. Finn
> *Sent:* Thursday, 13 February 2014 3:37 PM
> *To:* ausnog at lists.ausnog.net
> *Subject:* [AusNOG] NTP Reflection coming in over Equinix IX
>
>
>
> Hey All,
>
>
>
> I never thought I'd see the day, we're seeing local NTP Reflection attacks
> come in across Equinix peering!
>
>
>
> Thankfully they are very small amounts of traffic but you can see the
> traffic jump percentage wise.
>
>
>
>
>
>
>
> Does anyone have any mitigation stategies across the Equinix IX . (Apart
> from obvious, i.e. contacting the peer AS's to asking them to nice mitigate
> at their end and pray, or droping prefix from Equinix completely.)
>
>
>
> PS Anyone else on Equinix Syd if you're smashing outbound on NTP please
> check J
>
>
>
>
>
> This is the first time we've seen reflection attack across peering!
>
>
>
> What I once considered safe harbour has now been compromised.
>
>
>
> Kind Regards,
>
> Sean Finn,
>
> Oz Servers.
>
>
>
>
> ------------------------------
>
> Premium Australian Hosting Solution Specialists
> ------------------------------
>
> *Sean Finn, *BInfTech(NetSys)Qld.UT
>
> *Oz Servers*
> e: sean.finn at ozservers.com.au
> *w: http://www.ozservers.com.au <http://www.ozservers.com.au/>*
> *p: 1300 13 89 69*
>
>
>
>
>
> [image: ozlogo]
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/22c19d87/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 23838 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/22c19d87/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 2556 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/22c19d87/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/22c19d87/attachment.jpg>


More information about the AusNOG mailing list