[c-nsp] NTP DDoS
Dobbins, Roland
rdobbins at arbor.net
Wed Feb 12 14:24:40 EST 2014
On Feb 13, 2014, at 2:10 AM, Joe Loiacono <jloiacon at csc.com> wrote:
> This is port 123 exclusively going and coming right?
No - the reflector/amplifier - target leg will be sourced from UDP/123, but will be destined for the port of the attackers' choice. We see a lot of UDP/123 - UDP/80, UDP/123 - UDP/123, and UDP/123 - UDP/foo.
UDP/80 is probably the most popular, but I just got off a call where it was in fact all UDP/123 - UDP/123 as you indicated.
Also, that's just for the initial fragments. The bulk of the traffic on the reflector/amplifier - target leg is non-initial UDP fragments.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list