[c-nsp] NTP DDoS

Jared Mauch jared at puck.nether.net
Thu Feb 13 08:59:44 EST 2014 

Yeah, but I didn't mean for you to make that public :(

- jared

On Feb 13, 2014, at 5:10 AM, Nick Ryce <nick at fluency.net.uk> wrote:

> You can check for open ntp servers within your AS with the following:-
> 
> http://openntpproject.org/searchby-asn.cgi?search_asn=56595
> 
> Swap 56595 for your ASN  :)
> 
> Nick
> On 13 Feb 2014, at 02:12, SilverTip257 <silvertip257 at gmail.com> wrote:
> 
>> On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>> 
>>>> Something I can point customers to for testing their own set ups. ;)
>>> 
>> 
>> What I was trying to say is that openntp project URL is something I can
>> point customers at and they should understand.  Some of my customers are
>> dense.
>> 
>> Sadly, a few of them try to tell me that information I give them doesn't
>> work.  But when they say "hey, here's my credentials, why don't you fix it
>> for me?" ... I come to find (yes, I'm a nice guy) that everything I sent
>> them was spot on (as I expected).
>> 
>> Copy+paste is over-rated.  o_O
>> 
>> 
>>> 
>>> On a Linux or mac
>>> 
>>> ntpdc -c monlist xxx.xxx.xxx.xxx
>>> 
>> 
>> Yep.  And loopinfo and iostats commands.
>> 
>> nmap has a ntp-monlist script that is helpful (combined with the grep-able
>> output option).
>> 
>> I'm about due for running another ntp-monlist scan ... [when DNS
>> amplification attacks were real bad a few months ago, we told a customer to
>> disable DNS recursion ... he instead shut off bind/named for that day and
>> turned it back on some time later].
>> 
>> 
>>> 
>>> If you get a reply (which will consist of a list of IP addresses that have
>>> sync'd with the daemon) then the server has a non optimal config. ... and
>>> if it's already been found by others they will all be listed. .. You might
>>> even see openntp project and team cymru servers listed ;)
>>> 
>>> Alan
>> 
>> 
>> 
>> 
>> -- 
>> ---~~.~~---
>> Mike
>> //  SilverTip257  //
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
> Nick Ryce
> 
> Fluency Communications Ltd.
> e. nick at fluency.net.uk
> w. http://fluency.net.uk/
> t. 0845 874 7000
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list