[c-nsp] NTP DDoS

Dobbins, Roland rdobbins at arbor.net
Wed Feb 12 14:24:40 EST 2014

On Feb 13, 2014, at 2:10 AM, Joe Loiacono <jloiacon at csc.com> wrote:

> This is port 123 exclusively going and coming right? 

No - the reflector/amplifier - target leg will be sourced from UDP/123, but will be destined for the port of the attackers' choice.  We see a lot of UDP/123 - UDP/80, UDP/123 - UDP/123, and UDP/123 - UDP/foo.  

UDP/80 is probably the most popular, but I just got off a call where it was in fact all UDP/123 - UDP/123 as you indicated.

Also, that's just for the initial fragments.  The bulk of the traffic on the reflector/amplifier - target leg is non-initial UDP fragments.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the cisco-nsp mailing list