[AusNOG] NTP Reflection coming in over Equinix IX

Zone Networks - Joel joel at zonenetworks.com.au
Thu Feb 13 16:36:53 EST 2014 

Global as well, but we block that offshore so not a big issue

 

@Roland - yes open ntp project is handy

 

 

From: Joshua D'Alton [mailto:joshua at railgun.com.au] 
Sent: Thursday, 13 February 2014 4:25 PM
To: Zone Networks - Joel
Cc: Sean K. Finn; James Braunegg; AusNOG at lists.ausnog.net
Subject: Re: [AusNOG] NTP Reflection coming in over Equinix IX

 

With all this domestic (heh NZ) traffic being used, is this looking like a
specifically targeted AU attack, or are we seeing global hosts as well (but
being blocked overshore)?

 

On Thu, Feb 13, 2014 at 4:22 PM, Zone Networks - Joel
<joel at zonenetworks.com.au> wrote:

Hi Guys

 

Our gaming network is seeing inbound traffic across, eqx ix, pipe ix and
vocus, all domestic traffic if you include NZ as domestic J

 

So a lot of ntp still open in aus/nz

 

Regards

Joel

 

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Sean K.
Finn
Sent: Thursday, 13 February 2014 4:05 PM
To: 'James Braunegg'; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] NTP Reflection coming in over Equinix IX

 

G'day James,

 

Firstly thank you for sharing.

 

We've had in the order of 100-200 hosts being reflectors in the past few
weeks launching outbound, however this is the first time we've been on the
receiving end of an NTP.

 

What makes this stand out from the every-day DDOS is there were many, many
hosts coming in across peering.

 

We're dropping the ntp traffic at the firewalls internally, it's not causing
an issue once it gets to us, more of a curiosity that so many Australian
connected peers are still reflecting, and importantly haven't yet been
exploited or cleaned up.


Thankfully we've been able to clean up the hosts on our network one by one
as they launch attacks outbound. (Much like in years past when DNS
amplification was all the rage).

 

We've noticed a few older ESXi hosts have ntp enabled by default and are
susceptible as well, these boxes only started participating in outbound
attacks within the last two weeks though, as well as Junipers reflecting.

 

Prior to that it was mainly older linux hosts.

 

I'm guessing there are slightly different permutations to the NTP attack and
its being refined slowly over time to identify the ever-diminishing
reflection fruit.

 

-Another oddity:

 

The SOURCE IP's were all NTP, UDP port 123.

The RECEIVING IPs at this end were destination PORT 80, UDP.

 

iknowrite.

 

Sean.

 

 

 

From: James Braunegg [mailto:james.braunegg at micron21.com] 
Sent: Thursday, February 13, 2014 2:52 PM
To: Sean K. Finn; ausnog at lists.ausnog.net
Subject: RE: NTP Reflection coming in over Equinix IX

 

Dear Sean

 

If you can filter on packet size you should find the attack request for the
inbound NTP request is 50bytes in size, if you can drop this inbound request
via pattern matching this will stop the request attack traffic in its place
from reaching anything downstream !

 

It also is important to understand if you are being targeted by a NTP attack
or do you have hosts within your network precipitating in an attack.

 

If you need any help just ask !

 

Kindest Regards

 

 

James Braunegg
P:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616

E:    <mailto:james.braunegg at micron21.com> james.braunegg at micron21.com  |
ABN:  12 109 977 666 <tel:12%20109%20977%20666>    
W:   <http://www.micron21.com/ddos-protection>
www.micron21.com/ddos-protection   T: @micron21

 


Description: Description: Description: Description: M21.jpg
This message is intended for the addressee named above. It may contain
privileged or confidential information. If you are not the intended
recipient of this message you must not use, copy, distribute or disclose it
to anyone other than the addressee. If you have received this message in
error please return the message to the sender by replying to it and then
delete the message from your computer.

 

From: AusNOG [ <mailto:ausnog-bounces at lists.ausnog.net>
mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Sean K. Finn
Sent: Thursday, February 13, 2014 3:37 PM
To:  <mailto:ausnog at lists.ausnog.net> ausnog at lists.ausnog.net
Subject: [AusNOG] NTP Reflection coming in over Equinix IX

 

Hey All,

 

I never thought I'd see the day, we're seeing local NTP Reflection attacks
come in across Equinix peering!

 

Thankfully they are very small amounts of traffic but you can see the
traffic jump percentage wise.

 

cid:image002.png at 01CF28CC.B4ED8C60

 

 

Does anyone have any mitigation stategies across the Equinix IX . (Apart
from obvious, i.e. contacting the peer AS's to asking them to nice mitigate
at their end and pray, or droping prefix from Equinix completely.)

 

PS Anyone else on Equinix Syd if you're smashing outbound on NTP please
check J

 

 

This is the first time we've seen reflection attack across peering!

 

What I once considered safe harbour has now been compromised.

 

Kind Regards,

Sean Finn,

Oz Servers.

 

 

  _____  

Premium Australian Hosting Solution Specialists

  _____  


Sean Finn, BInfTech(NetSys)Qld.UT

Oz Servers
e:  <mailto:sean.finn at ozservers.com.au> sean.finn at ozservers.com.au
w:  <http://www.ozservers.com.au/> http://www.ozservers.com.au
p: 1300 13 89 69 

 

 

ozlogo

 


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/b530a2bd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/b530a2bd/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23838 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/b530a2bd/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 2556 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140213/b530a2bd/attachment-0001.gif>

More information about the AusNOG mailing list