[c-nsp] NTP DDoS
Joe Loiacono
jloiacon at csc.com
Wed Feb 12 14:10:57 EST 2014
This is port 123 exclusively going and coming right?
Thanks,
Joe Loiacono
From: "Dobbins, Roland" <rdobbins at arbor.net>
To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: 02/12/2014 11:21 AM
Subject: Re: [c-nsp] NTP DDoS
Sent by: "cisco-nsp" <cisco-nsp-bounces at puck.nether.net>
On Feb 12, 2014, at 11:07 PM, Richard Clayton <sledge121 at gmail.com> wrote:
> What is this type of DDoS called?
An ntp reflection/amplification DDoS attack.
> Is the the customer being individually targeted or just the expolitable
NTP server?
It sounds as if these are ntpds which are misconfigured and allow
level-6/-7 commands such as monlist to be issued, which produces a
significant amplification. The attackers are spoofing the source IPs of
their targets, and the ntpds 'reply' with unsolicited large, fragmented
UDP ntp 'responses'.
Check Jared's compendium for abusable ntpds on your netblocks and those of
your customers:
<http://www.openntpproject.org/>
> Are these caused by bots or manually by individuals?
Bots being driven by individuals (when we get to the point where the bots
make their own targeting decisions for DDoS attacks, things will be
interesting, indeed, heh).
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list