[c-nsp] NTP DDoS

Jared Mauch jared at puck.nether.net
Thu Feb 13 09:59:14 EST 2014 

Well, I do some things to block people from scraping the data out..

(They do try).

So more abuse may come as a result of this sadly.

- Jared

On Feb 13, 2014, at 9:53 AM, Richard Clayton <sledge121 at gmail.com> wrote:

> Nobody is safe now Jared :-)
> 
> 
> On 13 February 2014 13:59, Jared Mauch <jared at puck.nether.net> wrote:
> Yeah, but I didn't mean for you to make that public :(
> 
> - jared
> 
> On Feb 13, 2014, at 5:10 AM, Nick Ryce <nick at fluency.net.uk> wrote:
> 
> > You can check for open ntp servers within your AS with the following:-
> >
> > http://openntpproject.org/searchby-asn.cgi?search_asn=56595
> >
> > Swap 56595 for your ASN  :)
> >
> > Nick
> > On 13 Feb 2014, at 02:12, SilverTip257 <silvertip257 at gmail.com> wrote:
> >
> >> On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> >>
> >>>> Something I can point customers to for testing their own set ups. ;)
> >>>
> >>
> >> What I was trying to say is that openntp project URL is something I can
> >> point customers at and they should understand.  Some of my customers are
> >> dense.
> >>
> >> Sadly, a few of them try to tell me that information I give them doesn't
> >> work.  But when they say "hey, here's my credentials, why don't you fix it
> >> for me?" ... I come to find (yes, I'm a nice guy) that everything I sent
> >> them was spot on (as I expected).
> >>
> >> Copy+paste is over-rated.  o_O
> >>
> >>
> >>>
> >>> On a Linux or mac
> >>>
> >>> ntpdc -c monlist xxx.xxx.xxx.xxx
> >>>
> >>
> >> Yep.  And loopinfo and iostats commands.
> >>
> >> nmap has a ntp-monlist script that is helpful (combined with the grep-able
> >> output option).
> >>
> >> I'm about due for running another ntp-monlist scan ... [when DNS
> >> amplification attacks were real bad a few months ago, we told a customer to
> >> disable DNS recursion ... he instead shut off bind/named for that day and
> >> turned it back on some time later].
> >>
> >>
> >>>
> >>> If you get a reply (which will consist of a list of IP addresses that have
> >>> sync'd with the daemon) then the server has a non optimal config. ... and
> >>> if it's already been found by others they will all be listed. .. You might
> >>> even see openntp project and team cymru servers listed ;)
> >>>
> >>> Alan
> >>
> >>
> >>
> >>
> >> --
> >> ---~~.~~---
> >> Mike
> >> //  SilverTip257  //
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > --
> > Nick Ryce
> >
> > Fluency Communications Ltd.
> > e. nick at fluency.net.uk
> > w. http://fluency.net.uk/
> > t. 0845 874 7000
> >
> >
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list