[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses
Jon Lewis
jlewis at lewis.org
Tue Feb 25 11:10:51 EST 2014
On Tue, 25 Feb 2014, Phil Rosenthal wrote:
> We have had a reoccuring NTP Reflected DDoS attack against one of our =
> customers, and would love it if we could get some of these open NTP =
> servers could be closed up.
ack for 12989, but I wonder...the bulk mode whois data you supplied, is
that from the most recent attack (i.e. fresh) or aggregated data from a
number of "relatively recent" attacks? The IP from our AS in your data,
209.197.24.226, was found during an internally done scan of our space a
few weeks ago. We notified the customer. Then it was allegedly used in
an attack, and we notified the customer again. The server was said to
have been fixed, and our testing with ntpdc -c monlist appears to confirm
it was fixed on or before Feb 20th. It showing up in your data from Feb
25th is curious.
--
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the nsp-security
mailing list