[c-nsp] NTP DDoS
Richard Clayton
sledge121 at gmail.com
Tue Feb 11 16:35:53 EST 2014
Seems to be doing the rounds, had a fault open for a couple of days with a
100Mb Ethernet customer, reported fault was packet loss, Cacti showed an
upstream flatline of 30Mb and an increase in downstream, as the circuit
traffic had recently increased 1st line support presumed that the BT
Wholesale circuit had an Etherflow bandwidth restriction so raised the
fault which ping ponged back and forth until BT washed their hands of it
(rightly so on this occasion) When it was escalated to me I noticed 'no
buffer' and 'pause input' packet counters were going nuts on the LAN
interface, the packet counters were 10k packets/sec, I enabled 'ip
route-cache flow' on the WAN interface and there it was, 1000's of NTP
connections.
In summary the Cisco 1921 gave up at 30Mb/s with no buffer left, usually
runs fine at 100Mb/s with no NAT config, customer had public IP on LAN
switch for management and open NTP, LOL.
Sledge
More information about the cisco-nsp
mailing list