[AusNOG] NTP Reflection coming in over Equinix IX
Tom Paseka
tom at cloudflare.com
Thu Feb 13 16:33:49 EST 2014
We (CloudFlare) regularly get hit over peering points, including Equinix IX
in Sydney, to the tune of multiple Gbps.
On Wed, Feb 12, 2014 at 9:26 PM, Joshua D'Alton <joshua at railgun.com.au>wrote:
> Wow further to my last email, looks like a targeted attack then. And with
> power too, all those hosts have pretty hefty internet connections, well not
> to mention peering!
>
>
> On Thu, Feb 13, 2014 at 4:23 PM, James Braunegg <
> james.braunegg at micron21.com> wrote:
>
>> Dear Seamus
>>
>>
>>
>> Your totally correct.. here is a list of some big offenders we have found
>> so far in Australia
>>
>>
>>
>> 58 DEAKIN-AS-AP Deakin University (AU) (AS7645)
>>
>> 84 MONASHUNI-AU-AS-AP Monash University, (AU)
>> (AS56132)
>>
>> 41 EFTEL-AS-AP Eftel Limited. (AU) (AS10113)
>>
>> 155 AARNET-AS-AP Australian Academic and Reasearch
>> Network (AARNet) (AU) (AS7575)
>>
>> 69 UQ-AS-AP University of Queensland (AU) (AS24436)
>>
>>
>>
>> (The numbers are the amount of unique IP addresses from each AS within an
>> attack)
>>
>>
>>
>> Kindest Regards
>>
>>
>>
>>
>> *James Braunegg**P:* 1300 769 972 | *M:* 0488 997 207 | *D:* (03)
>> 9751 7616
>>
>> *E:* james.braunegg at micron21.com | *ABN:* 12 109 977 666
>> *W:* www.micron21.com/ddos-protection *T:* @micron21
>>
>>
>>
>>
>> [image: Description: Description: Description: Description: M21.jpg]
>> This message is intended for the addressee named above. It may contain
>> privileged or confidential information. If you are not the intended
>> recipient of this message you must not use, copy, distribute or disclose it
>> to anyone other than the addressee. If you have received this message in
>> error please return the message to the sender by replying to it and then
>> delete the message from your computer.
>>
>>
>>
>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of *Seamus
>> Ryan
>> *Sent:* Thursday, February 13, 2014 4:16 PM
>>
>> *To:* 'Sean K. Finn'; ausnog at lists.ausnog.net
>> *Subject:* Re: [AusNOG] NTP Reflection coming in over Equinix IX
>>
>>
>>
>> It has also been happening over NSW-IX the last few days (targeting
>> cloudflare J ).
>>
>>
>>
>> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>>
>>
>> Not sure if they are NTP, but the "big" one on Tuesday appears to have
>> sources like AARNET
>>
>>
>>
>> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>>
>>
>>
>> and Ultraserve:
>>
>>
>>
>> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all
>>
>>
>>
>> (large spikes line up with cloudflare's graph)
>>
>>
>>
>> - Seamus
>>
>>
>>
>>
>>
>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net<ausnog-bounces at lists.ausnog.net>]
>> *On Behalf Of *Sean K. Finn
>> *Sent:* Thursday, 13 February 2014 3:37 PM
>> *To:* ausnog at lists.ausnog.net
>> *Subject:* [AusNOG] NTP Reflection coming in over Equinix IX
>>
>>
>>
>> Hey All,
>>
>>
>>
>> I never thought I'd see the day, we're seeing local NTP Reflection
>> attacks come in across Equinix peering!
>>
>>
>>
>> Thankfully they are very small amounts of traffic but you can see the
>> traffic jump percentage wise.
>>
>>
>>
>>
>>
>>
>>
>> Does anyone have any mitigation stategies across the Equinix IX . (Apart
>> from obvious, i.e. contacting the peer AS's to asking them to nice mitigate
>> at their end and pray, or droping prefix from Equinix completely.)
>>
>>
>>
>> PS Anyone else on Equinix Syd if you're smashing outbound on NTP please
>> check J
>>
>>
>>
>>
>>
>> This is the first time we've seen reflection attack across peering!
>>
>>
>>
>> What I once considered safe harbour has now been compromised.
>>
>>
>>
>> Kind Regards,
>>
>> Sean Finn,
>>
>> Oz Servers.
>>
>>
>>
>>
>> ------------------------------
>>
>> Premium Australian Hosting Solution Specialists
>> ------------------------------
>>
>> *Sean Finn, *BInfTech(NetSys)Qld.UT
>>
>> *Oz Servers*
>> e: sean.finn at ozservers.com.au
>> *w: http://www.ozservers.com.au <http://www.ozservers.com.au/>*
>> *p: 1300 13 89 69*
>>
>>
>>
>>
>>
>> [image: ozlogo]
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140212/7281a0db/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140212/7281a0db/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 23838 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140212/7281a0db/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 2556 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140212/7281a0db/attachment.gif>
More information about the AusNOG
mailing list