[AusNOG] NTP Reflection coming in over Equinix IX

Seamus Ryan s.ryan at uber.com.au
Thu Feb 13 16:36:56 EST 2014


Yup,

AARNET for example: http://www.itnews.com.au/News/365588,aarnet-upgrades-backbone-to-100-gigabit-ethernet.aspx


-          Seamus



From: Joshua D'Alton [mailto:joshua at railgun.com.au]
Sent: Thursday, 13 February 2014 4:27 PM
To: James Braunegg
Cc: Seamus Ryan; Sean K. Finn; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] NTP Reflection coming in over Equinix IX
Importance: High

Wow further to my last email, looks like a targeted attack then. And with power too, all those hosts have pretty hefty internet connections, well not to mention peering!

On Thu, Feb 13, 2014 at 4:23 PM, James Braunegg <james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>> wrote:
Dear Seamus

Your totally correct.. here is a list of some big offenders we have found so far in Australia

58                     DEAKIN-AS-AP Deakin University (AU) (AS7645)
84                     MONASHUNI-AU-AS-AP Monash University, (AU) (AS56132)
41                     EFTEL-AS-AP Eftel Limited. (AU) (AS10113)
155                   AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) (AU) (AS7575)
69                     UQ-AS-AP University of Queensland (AU) (AS24436)

(The numbers are the amount of unique IP addresses from each AS within an attack)

Kindest Regards

James Braunegg
P:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>  |  ABN:  12 109 977 666<tel:12%20109%20977%20666>
W:  www.micron21.com/ddos-protection<http://www.micron21.com/ddos-protection>   T: @micron21


[Description: Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>] On Behalf Of Seamus Ryan
Sent: Thursday, February 13, 2014 4:16 PM

To: 'Sean K. Finn'; ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] NTP Reflection coming in over Equinix IX

It has also been happening over NSW-IX the last few days (targeting cloudflare :) ).

http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all

Not sure if they are NTP, but the "big" one on Tuesday appears to have sources like AARNET

http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all

and Ultraserve:

http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all

(large spikes line up with cloudflare's graph)


-          Seamus


From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Sean K. Finn
Sent: Thursday, 13 February 2014 3:37 PM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: [AusNOG] NTP Reflection coming in over Equinix IX

Hey All,

I never thought I'd see the day, we're seeing local NTP Reflection attacks come in across Equinix peering!

Thankfully they are very small amounts of traffic but you can see the traffic jump percentage wise.

[cid:image002.png at 01CF28D9.CF004770]


Does anyone have any mitigation stategies across the Equinix IX . (Apart from obvious, i.e. contacting the peer AS's to asking them to nice mitigate at their end and pray, or droping prefix from Equinix completely.)

PS Anyone else on Equinix Syd if you're smashing outbound on NTP please check :)


This is the first time we've seen reflection attack across peering!

What I once considered safe harbour has now been compromised.

Kind Regards,
Sean Finn,
Oz Servers.


________________________________
Premium Australian Hosting Solution Specialists
________________________________
Sean Finn, BInfTech(NetSys)Qld.UT
Oz Servers
e: sean.finn at ozservers.com.au<mailto:sean.finn at ozservers.com.au>
w: http://www.ozservers.com.au<http://www.ozservers.com.au/>
p: 1300 13 89 69



[ozlogo]



_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/e61405f0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: image001.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/e61405f0/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23838 bytes
Desc: image002.png
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/e61405f0/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 2556 bytes
Desc: image003.gif
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/e61405f0/attachment.gif>


More information about the AusNOG mailing list