[c-nsp] NTP DDoS

Aaron aaron1 at gvtc.com
Tue Feb 18 02:15:35 EST 2014 

You have 100 gbps internet connection?  I ask since I have dual 10 gbps
interface to internet, I've grown to trust my nfsen netflow collector, but
stangely tonight's ntp ddos was registering ~40 gbps.... how could that be
if my inet connections are only 20 gbps aggregate line rate ?

I am sampling 1/512 on my (2) boundary asr9k's....

Usually nfsen seems to be pretty accurate, is there a reason for that ~40
gbps reading during that ntp attack ?


Aaron

-----Original Message-----
From: John van Oppen [mailto:jvanoppen at spectrumnet.us] 
Sent: Monday, February 17, 2014 9:43 PM
To: 'Aaron'; sledge121 at gmail.com; 'Cisco NSPs'
Subject: RE: [c-nsp] NTP DDoS

We had well over 100 gbit/sec of that lovely traffic headed towards our
network (AS11404) a few days ago...  That was fun.    Secure your networks
please, this is getting annoying...

John

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Aaron
Sent: Monday, February 17, 2014 6:30 PM
To: sledge121 at gmail.com; 'Cisco NSPs'
Subject: Re: [c-nsp] NTP DDoS

My gosh!  NTP ddos attacks are coming like crazy lately.  Y'all getting hit
?

I'm going to need to setup a bgp injection thingy with my upstream providers
to signal a /32 for my victim(s) in my network so I can selective blackhole
traffic in the cloud prior to it hitting my internet links..... this is
getting really bad

Aaron

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Richard Clayton
Sent: Tuesday, February 11, 2014 3:36 PM
To: Cisco NSPs
Subject: [c-nsp] NTP DDoS

Seems to be doing the rounds, had a fault open for a couple of days with a
100Mb Ethernet customer, reported fault was packet loss, Cacti showed an
upstream flatline of 30Mb and an increase in downstream, as the circuit
traffic had recently increased 1st line support presumed that the BT
Wholesale circuit had an Etherflow bandwidth restriction so raised the fault
which ping ponged back and forth until BT washed their hands of it (rightly
so on this occasion) When it was escalated to me I noticed 'no buffer' and
'pause input' packet counters were going nuts on the LAN interface, the
packet counters were 10k packets/sec, I enabled 'ip route-cache flow' on the
WAN interface and there it was, 1000's of NTP connections.

In summary the Cisco 1921 gave up at 30Mb/s with no buffer left, usually
runs fine at 100Mb/s with no NAT config, customer had public IP on LAN
switch for management and open NTP, LOL.

Sledge
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list