[c-nsp] NTP DDoS

Jared Mauch jared at puck.nether.net
Wed Feb 12 00:01:06 EST 2014

Please take a moment and e-mail ntp-scan at puck.nether.net with your ASN and you can get a list of the devices in your network that respond to NTP queries that can be abused.

If you don’t do BGP and want to check your IP space, you can do a search based on your IPv4 CIDR.

- Jared

On Feb 11, 2014, at 4:35 PM, Richard Clayton <sledge121 at gmail.com> wrote:

> Seems to be doing the rounds, had a fault open for a couple of days with a
> 100Mb Ethernet customer, reported fault was packet loss, Cacti showed an
> upstream flatline of 30Mb and an increase in downstream, as the circuit
> traffic had recently increased 1st line support presumed that the BT
> Wholesale circuit had an Etherflow bandwidth restriction so raised the
> fault which ping ponged back and forth until BT washed their hands of it
> (rightly so on this occasion) When it was escalated to me I noticed 'no
> buffer' and 'pause input' packet counters were going nuts on the LAN
> interface, the packet counters were 10k packets/sec, I enabled 'ip
> route-cache flow' on the WAN interface and there it was, 1000's of NTP
> connections.
> In summary the Cisco 1921 gave up at 30Mb/s with no buffer left, usually
> runs fine at 100Mb/s with no NAT config, customer had public IP on LAN
> switch for management and open NTP, LOL.
> Sledge
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list