[c-nsp] NTP DDoS

Nick Ryce nick at fluency.net.uk
Thu Feb 13 05:10:36 EST 2014 

You can check for open ntp servers within your AS with the following:-

http://openntpproject.org/searchby-asn.cgi?search_asn=56595

Swap 56595 for your ASN  :)

Nick
On 13 Feb 2014, at 02:12, SilverTip257 <silvertip257 at gmail.com> wrote:

> On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
>>> Something I can point customers to for testing their own set ups. ;)
>> 
> 
> What I was trying to say is that openntp project URL is something I can
> point customers at and they should understand.  Some of my customers are
> dense.
> 
> Sadly, a few of them try to tell me that information I give them doesn't
> work.  But when they say "hey, here's my credentials, why don't you fix it
> for me?" ... I come to find (yes, I'm a nice guy) that everything I sent
> them was spot on (as I expected).
> 
> Copy+paste is over-rated.  o_O
> 
> 
>> 
>> On a Linux or mac
>> 
>> ntpdc -c monlist xxx.xxx.xxx.xxx
>> 
> 
> Yep.  And loopinfo and iostats commands.
> 
> nmap has a ntp-monlist script that is helpful (combined with the grep-able
> output option).
> 
> I'm about due for running another ntp-monlist scan ... [when DNS
> amplification attacks were real bad a few months ago, we told a customer to
> disable DNS recursion ... he instead shut off bind/named for that day and
> turned it back on some time later].
> 
> 
>> 
>> If you get a reply (which will consist of a list of IP addresses that have
>> sync'd with the daemon) then the server has a non optimal config. ... and
>> if it's already been found by others they will all be listed. .. You might
>> even see openntp project and team cymru servers listed ;)
>> 
>> Alan
> 
> 
> 
> 
> -- 
> ---~~.~~---
> Mike
> //  SilverTip257  //
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Nick Ryce

Fluency Communications Ltd.
e. nick at fluency.net.uk
w. http://fluency.net.uk/
t. 0845 874 7000

More information about the cisco-nsp mailing list