[c-nsp] NTP DDoS
Richard Clayton
sledge121 at gmail.com
Wed Feb 12 11:07:16 EST 2014
The details of the attack I was involved with were
- upstream bandwidth spike from customer to Internet (only flatlined due to
CPE buffer).
- downstream bandwidth towards customer didn't really show any significant
change but did hurt our edge buffers.
- 1000's of inbound NTP connections from random sources on the Internet to
a single device on customer network (with open NTP config).
- I didn't check outbound connections from the customer to the Internet.
Questions
What is this type of DDoS called? I've heard a few different types
mentioned, amplification, reflection etc.
Is the the customer being individually targeted or just the expolitable NTP
server?
Are these caused by bots or manually by individuals?
I've included a snapshot of the downstream connections
Gi0/0 166.137.244.122 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 108.168.210.64 Gi0/1 Customer-IP 11 007B 007B
8
Gi0/0 60.248.122.205 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 69.241.167.14 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 207.235.188.201 Gi0/1 Customer-IP 11 007B 007B
38
Gi0/0 46.175.191.22 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 216.79.150.100 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 175.156.199.185 Gi0/1 Customer-IP 11 007B 007B
34
Gi0/0 74.216.232.230 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 218.63.59.203 Gi0/1 Customer-IP 11 007B 007B
8
Gi0/0 166.137.244.17 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 208.88.6.65 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 208.68.168.106 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 119.97.145.164 Gi0/1 Customer-IP 11 007B 007B
9
Gi0/0 66.216.48.147 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 218.63.59.202 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 63.113.48.99 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 166.137.244.21 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 77.48.46.166 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 166.170.5.119 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 195.66.157.213 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 166.170.5.118 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 81.177.19.157 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 178.172.26.130 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 216.218.255.175 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 188.43.3.140 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 166.137.244.45 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 93.190.88.10 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 188.43.3.139 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 107.77.66.95 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 171.25.249.145 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 61.195.150.43 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 46.164.154.135 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 80.98.107.69 Gi0/1 Customer-IP 11 007B 007B
123
Gi0/0 46.164.154.132 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 75.111.130.177 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 74.216.184.246 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 195.66.157.193 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 188.228.20.225 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 166.137.244.54 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 195.84.151.29 Gi0/1 Customer-IP 11 007B 007B
100
Gi0/0 208.64.202.4 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 217.150.56.173 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 166.137.244.76 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 166.137.244.78 Gi0/1 Customer-IP 11 007B 007B
5
Gi0/0 94.92.86.27 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 218.63.59.207 Gi0/1 Customer-IP 11 007B 007B
15
Gi0/0 177.105.63.251 Gi0/1 Customer-IP 11 007B 007B
10
Gi0/0 146.185.48.42 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 85.255.192.38 Gi0/1 Customer-IP 11 007B 007B
96
Gi0/0 166.137.244.56 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 27.96.37.62 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 59.34.148.20 Gi0/1 Customer-IP 11 007B 007B
9
Gi0/0 212.189.144.13 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 212.156.16.74 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 211.79.59.242 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 220.181.156.232 Gi0/1 Customer-IP 11 007B 007B
12
Gi0/0 91.121.121.33 Gi0/1 Customer-IP 11 007B 007B
210
Gi0/0 65.189.165.53 Gi0/1 Customer-IP 11 007B 007B
74
Gi0/0 190.112.224.10 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 74.120.136.226 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 211.162.76.62 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 194.146.181.26 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 220.130.135.123 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 147.102.206.20 Gi0/1 Customer-IP 11 007B 007B
8
Gi0/0 128.255.133.198 Gi0/1 Customer-IP 11 007B 007B
9
Gi0/0 212.189.144.210 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 82.137.248.14 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 202.235.209.8 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 94.104.252.250 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 91.121.137.92 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 166.170.5.82 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 206.216.148.68 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 212.13.216.77 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 203.144.189.19 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 202.235.209.11 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 80.237.159.52 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 202.235.209.12 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 203.169.145.227 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 82.80.196.220 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 202.216.248.125 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 202.235.209.7 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 81.223.20.195 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 218.19.141.6 Gi0/1 Customer-IP 11 007B 007B
5
Gi0/0 59.34.148.203 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 194.239.235.30 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 124.88.218.251 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 166.170.5.61 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 211.153.33.206 Gi0/1 Customer-IP 11 007B 007B
7
Gi0/0 188.165.196.129 Gi0/1 Customer-IP 11 007B 007B
5
Gi0/0 82.204.10.10 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 194.177.211.26 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 67.53.230.179 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 194.177.211.28 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 72.48.153.14 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 92.240.238.102 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 89.179.138.23 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 89.215.168.185 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 89.111.180.112 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 194.183.224.3 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 194.183.224.4 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 74.40.23.48 Gi0/1 Customer-IP 11 007B 007B
6
Gi0/0 41.184.95.6 Gi0/1 Customer-IP 11 007B 007B
100
Gi0/0 221.186.106.36 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 217.13.197.157 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 166.170.5.95 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 188.165.212.180 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 188.165.212.183 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 152.66.0.80 Gi0/1 Customer-IP 11 007B 007B
37
Gi0/0 210.171.9.144 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 91.203.193.21 Gi0/1 Customer-IP 11 007B 007B
6
Gi0/0 188.128.6.106 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 61.110.192.24 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 108.175.33.53 Gi0/1 Customer-IP 11 007B 007B
7
Gi0/0 69.76.73.83 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 108.175.33.52 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 61.110.192.26 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 194.25.128.187 Gi0/1 Customer-IP 11 007B 007B
16
Gi0/0 111.206.14.14 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 184.154.79.106 Gi0/1 Customer-IP 11 007B 007B
7
Gi0/0 69.76.73.80 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 108.175.33.55 Gi0/1 Customer-IP 11 007B 007B
9
Gi0/0 69.76.73.81 Gi0/1 Customer-IP 11 007B 007B
3
Gi0/0 112.215.81.170 Gi0/1 Customer-IP 11 007B 007B
100
Gi0/0 91.202.144.33 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 195.66.157.102 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 61.110.208.20 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 62.24.235.113 Gi0/1 Customer-IP 11 007B 007B
29
Gi0/0 218.26.233.1 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 212.189.144.158 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 213.248.83.190 Gi0/1 Customer-IP 11 007B 007B
4
Gi0/0 212.189.144.157 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 212.174.9.78 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 108.175.33.63 Gi0/1 Customer-IP 11 007B 007B
2
Gi0/0 176.240.130.5 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 1.224.187.11 Gi0/1 Customer-IP 11 007B 007B
21
Gi0/0 1.33.186.194 Gi0/1 Customer-IP 11 007B 007B
5
Gi0/0 118.41.203.198 Gi0/1 Customer-IP 11 007B 007B
78
Gi0/0 74.201.192.237 Gi0/1 Customer-IP 11 007B 007B
1
Gi0/0 117.130.254.53 Gi0/1 Customer-IP 11 007B 007B
2
On 12 February 2014 07:32, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> +1 yep. Use any of these NTP resources to find issues within your
> ASNs/remit . As network admins it's our duty/responsibility to look after
> each other and try to keep the Internet free of such 'filth' :)
>
> Alan
More information about the cisco-nsp
mailing list