[c-nsp] NTP DDoS

Joe Loiacono jloiacon at csc.com
Wed Feb 12 14:10:57 EST 2014

This is port 123 exclusively going and coming right?


Joe Loiacono

From:   "Dobbins, Roland" <rdobbins at arbor.net>
To:     "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date:   02/12/2014 11:21 AM
Subject:        Re: [c-nsp] NTP DDoS
Sent by:        "cisco-nsp" <cisco-nsp-bounces at puck.nether.net>

On Feb 12, 2014, at 11:07 PM, Richard Clayton <sledge121 at gmail.com> wrote:

> What is this type of DDoS called?

An ntp reflection/amplification DDoS attack.

> Is the the customer being individually targeted or just the expolitable 
NTP server?

It sounds as if these are ntpds which are misconfigured and allow 
level-6/-7 commands such as monlist to be issued, which produces a 
significant amplification.  The attackers are spoofing the source IPs of 
their targets, and the ntpds 'reply' with unsolicited large, fragmented 
UDP ntp 'responses'.

Check Jared's compendium for abusable ntpds on your netblocks and those of 
your customers:


> Are these caused by bots or manually by individuals?

Bots being driven by individuals (when we get to the point where the bots 
make their own targeting decisions for DDoS attacks, things will be 
interesting, indeed, heh).

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Luck is the residue of opportunity and design.

                                        -- John Milton

cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list