[AusNOG] NTP Reflection coming in over Equinix IX
Luke Iggleden
luke+ausnog at sisgroup.com.au
Thu Feb 13 16:56:58 EST 2014
Thats all well and good, but equinix (and others) provide no way to drop
this. If your link is saturated you need to:
Withdraw all prefixes from the IX that aren't being dossed.
or/
Announce a more specific via a DDOS scrubber
or/
Announce via a transit provider that supports RTBH.
I think really we need to start looking at some controls via peering
either via an ACL in a web ui or some agreed BGP communities that we can
match on and agree to send to DSC0.
ACL in a web gui, will probably not happen as peering providers switches
TCAM is probably limited.
On 13/02/2014 4:36 pm, Joseph Goldman wrote:
> Better peering then your actual transit, if you ask me. Cheaper cost :P.
>
> On 13/02/14 16:33, Tom Paseka wrote:
>> We (CloudFlare) regularly get hit over peering points, including
>> Equinix IX in Sydney, to the tune of multiple Gbps.
>>
>>
>> On Wed, Feb 12, 2014 at 9:26 PM, Joshua D'Alton <joshua at railgun.com.au
>> <mailto:joshua at railgun.com.au>> wrote:
>>
>> Wow further to my last email, looks like a targeted attack then.
>> And with power too, all those hosts have pretty hefty internet
>> connections, well not to mention peering!
>>
>>
>> On Thu, Feb 13, 2014 at 4:23 PM, James Braunegg
>> <james.braunegg at micron21.com <mailto:james.braunegg at micron21.com>>
>> wrote:
>>
>> Dear Seamus
>>
>> Your totally correct.. here is a list of some big offenders we
>> have found so far in Australia
>>
>> 58 DEAKIN-AS-AP Deakin University (AU) (AS7645)
>>
>> 84 MONASHUNI-AU-AS-AP Monash University, (AU) (AS56132)
>>
>> 41 EFTEL-AS-AP Eftel Limited. (AU) (AS10113)
>>
>> 155 AARNET-AS-AP Australian Academic and Reasearch Network
>> (AARNet) (AU) (AS7575)
>>
>> 69 UQ-AS-AP University of Queensland (AU) (AS24436)
>>
>> (The numbers are the amount of unique IP addresses from each
>> AS within an attack)
>>
>> Kindest Regards
>>
>> *James Braunegg
>> **P:*1300 769 972 | *M:* 0488 997 207 | *D:* (03) 9751 7616
>>
>> *E:*james.braunegg at micron21.com
>> <mailto:james.braunegg at micron21.com>| *ABN:* 12 109 977 666
>> <tel:12%20109%20977%20666>
>> *W:* www.micron21.com/ddos-protection
>> <http://www.micron21.com/ddos-protection> *T:* @micron21
>>
>>
>> Description: Description: Description: Description: M21.jpg
>> This message is intended for the addressee named above. It may
>> contain privileged or confidential information. If you are not
>> the intended recipient of this message you must not use, copy,
>> distribute or disclose it to anyone other than the addressee.
>> If you have received this message in error please return the
>> message to the sender by replying to it and then delete the
>> message from your computer.
>>
>> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>> <mailto:ausnog-bounces at lists.ausnog.net>] *On Behalf Of
>> *Seamus Ryan
>> *Sent:* Thursday, February 13, 2014 4:16 PM
>>
>>
>> *To:* 'Sean K. Finn'; ausnog at lists.ausnog.net
>> <mailto:ausnog at lists.ausnog.net>
>> *Subject:* Re: [AusNOG] NTP Reflection coming in over Equinix IX
>>
>> It has also been happening over NSW-IX the last few days
>> (targeting cloudflare J).
>>
>> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>>
>>
>> Not sure if they are NTP, but the “big” one on Tuesday appears
>> to have sources like AARNET
>>
>> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=64&rra_id=all
>>
>> and Ultraserve:
>>
>> http://monitor.nsw.ix.asn.au/cacti/graph.php?local_graph_id=257&rra_id=all
>>
>> (large spikes line up with cloudflare’s graph)
>>
>> -Seamus
>>
>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On
>> Behalf Of *Sean K. Finn
>> *Sent:* Thursday, 13 February 2014 3:37 PM
>> *To:* ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>
>> *Subject:* [AusNOG] NTP Reflection coming in over Equinix IX
>>
>> Hey All,
>>
>> I never thought I’d see the day, we’re seeing local NTP
>> Reflection attacks come in across Equinix peering!
>>
>> Thankfully they are very small amounts of traffic but you can
>> see the traffic jump percentage wise.
>>
>> Does anyone have any mitigation stategies across the Equinix
>> IX . (Apart from obvious, i.e. contacting the peer AS’s to
>> asking them to nice mitigate at their end and pray, or droping
>> prefix from Equinix completely.)
>>
>> PS Anyone else on Equinix Syd if you’re smashing outbound on
>> NTP please check J
>>
>> This is the first time we’ve seen reflection attack across
>> peering!
>>
>> What I once considered safe harbour has now been compromised.
>>
>> Kind Regards,
>>
>> Sean Finn,
>>
>> Oz Servers.
>>
>> ------------------------------------------------------------------------
>>
>> Premium Australian Hosting Solution Specialists
>>
>> ------------------------------------------------------------------------
>>
>> *Sean Finn, *BInfTech(NetSys)Qld.UT
>>
>> *Oz Servers*
>> e: sean.finn at ozservers.com.au <mailto:sean.finn at ozservers.com.au>
>> *w: http://www.ozservers.com.au <http://www.ozservers.com.au/>*
>> *p: 1300 13 89 69*
>>
>>
>>
>> ozlogo
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
More information about the AusNOG
mailing list