[AusNOG] NTP Reflection coming in over Equinix IX
Joseph Goldman
joe at apcs.com.au
Thu Feb 13 16:36:46 EST 2014
Better peering then your actual transit, if you ask me. Cheaper cost :P.
On 13/02/14 16:33, Tom Paseka wrote:
> We (CloudFlare) regularly get hit over peering points, including
> Equinix IX in Sydney, to the tune of multiple Gbps.
>
>
> On Wed, Feb 12, 2014 at 9:26 PM, Joshua D'Alton <joshua at railgun.com.au
> <mailto:joshua at railgun.com.au>> wrote:
>
> Wow further to my last email, looks like a targeted attack then.
> And with power too, all those hosts have pretty hefty internet
> connections, well not to mention peering!
>
>
> On Thu, Feb 13, 2014 at 4:23 PM, James Braunegg
> <james.braunegg at micron21.com <mailto:james.braunegg at micron21.com>>
> wrote:
>
> Dear Seamus
>
> Your totally correct.. here is a list of some big offenders we
> have found so far in Australia
>
> 58 DEAKIN-AS-AP Deakin University (AU) (AS7645)
>
> 84 MONASHUNI-AU-AS-AP Monash University, (AU) (AS56132)
>
> 41 EFTEL-AS-AP Eftel Limited. (AU) (AS10113)
>
> 155 AARNET-AS-AP Australian Academic and Reasearch Network
> (AARNet) (AU) (AS7575)
>
> 69 UQ-AS-AP University of Queensland (AU) (AS24436)
>
> (The numbers are the amount of unique IP addresses from each
> AS within an attack)
>
> Kindest Regards
>
> *James Braunegg
> **P:*1300 769 972 | *M:* 0488 997 207 | *D:* (03) 9751 7616
>
> *E:*james.braunegg at micron21.com
> <mailto:james.braunegg at micron21.com>| *ABN:* 12 109 977 666
> <tel:12%20109%20977%20666>
> *W:* www.micron21.com/ddos-protection
> <http://www.micron21.com/ddos-protection> *T:* @micron21
>
>
> Description: Description: Description: Description: M21.jpg
> This message is intended for the addressee named above. It may
> contain privileged or confidential information. If you are not
> the intended recipient of this message you must not use, copy,
> distribute or disclose it to anyone other than the addressee.
> If you have received this message in error please return the
> message to the sender by replying to it and then delete the
> message from your computer.
>
> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net
> <mailto:ausnog-bounces at lists.ausnog.net>] *On Behalf Of
> *Seamus Ryan
> *Sent:* Thursday, February 13, 2014 4:16 PM
>
>
> *To:* 'Sean K. Finn'; ausnog at lists.ausnog.net
> <mailto:ausnog at lists.ausnog.net>
> *Subject:* Re: [AusNOG] NTP Reflection coming in over Equinix IX
>
> It has also been happening over NSW-IX the last few days
> (targeting cloudflare J).
>
> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>
>
> Not sure if they are NTP, but the "big" one on Tuesday appears
> to have sources like AARNET
>
> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>
> and Ultraserve:
>
> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all
>
> (large spikes line up with cloudflare's graph)
>
> -Seamus
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On
> Behalf Of *Sean K. Finn
> *Sent:* Thursday, 13 February 2014 3:37 PM
> *To:* ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>
> *Subject:* [AusNOG] NTP Reflection coming in over Equinix IX
>
> Hey All,
>
> I never thought I'd see the day, we're seeing local NTP
> Reflection attacks come in across Equinix peering!
>
> Thankfully they are very small amounts of traffic but you can
> see the traffic jump percentage wise.
>
> Does anyone have any mitigation stategies across the Equinix
> IX . (Apart from obvious, i.e. contacting the peer AS's to
> asking them to nice mitigate at their end and pray, or droping
> prefix from Equinix completely.)
>
> PS Anyone else on Equinix Syd if you're smashing outbound on
> NTP please check J
>
> This is the first time we've seen reflection attack across
> peering!
>
> What I once considered safe harbour has now been compromised.
>
> Kind Regards,
>
> Sean Finn,
>
> Oz Servers.
>
> ------------------------------------------------------------------------
>
> Premium Australian Hosting Solution Specialists
>
> ------------------------------------------------------------------------
>
> *Sean Finn, *BInfTech(NetSys)Qld.UT
>
> *Oz Servers*
> e: sean.finn at ozservers.com.au <mailto:sean.finn at ozservers.com.au>
> *w: http://www.ozservers.com.au <http://www.ozservers.com.au/>*
> *p: 1300 13 89 69*
>
>
>
> ozlogo
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/17aa6874/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/17aa6874/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 23838 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/17aa6874/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2556 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/17aa6874/attachment-0001.gif>
More information about the AusNOG
mailing list