[c-nsp] NTP DDoS

SilverTip257 silvertip257 at gmail.com
Wed Feb 12 12:17:34 EST 2014


>
> Date: Wed, 12 Feb 2014 16:19:25 +0000
> From: "Dobbins, Roland" <rdobbins at arbor.net>
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] NTP DDoS
> Message-ID: <BBBAEF13-3E44-41EE-9F76-C4D50A6E04C7 at arbor.net>
> Content-Type: text/plain; charset="us-ascii"
>
>
> On Feb 12, 2014, at 11:07 PM, Richard Clayton <sledge121 at gmail.com> wrote:
>
> > What is this type of DDoS called?
>
> An ntp reflection/amplification DDoS attack.
>

I've seen these NTP attacks called DRDoS attacks.
( Distributed Reflection Denial of Service )


>
> > Is the the customer being individually targeted or just the expolitable
> NTP server?
>
> It sounds as if these are ntpds which are misconfigured and allow
> level-6/-7 commands such as monlist to be issued, which produces a
> significant amplification.  The attackers are spoofing the source IPs of
> their targets, and the ntpds 'reply' with unsolicited large, fragmented UDP
> ntp 'responses'.
>
>
A co-located customer of mine had his ntp config open ... didn't surprise
me it would be him, but yeah lots of fun.


> Check Jared's compendium for abusable ntpds on your netblocks and those of
> your customers:
>
> <http://www.openntpproject.org/>
>

Helpful.
Something I can point customers to for testing their own set ups. ;)


>
> > Are these caused by bots or manually by individuals?
>
> Bots being driven by individuals (when we get to the point where the bots
> make their own targeting decisions for DDoS attacks, things will be
> interesting, indeed, heh).
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>           Luck is the residue of opportunity and design.
>
>                        -- John Milton
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
>


-- 
---~~.~~---
Mike
//  SilverTip257  //


More information about the cisco-nsp mailing list