[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses
Phil Rosenthal
pr at isprime.com
Tue Feb 25 13:29:28 EST 2014
That was from an attack that was active at the time I sent the email. (Feb 25)
That particular attack lasted approximately 1.5 hours (which is typical for the attacks we have been seeing on an approximately weekly basis towards this customer).
I believe this attack was not a monlist attack, as many of the IP addresses I have tried here are not responding to monlist queries, but there are other commands that are abusable.
Unfortunately, I do not have a raw packet capture to see what the actual request type was.
Regards,
-Phil
On Feb 25, 2014, at 9:10 PM, Jon Lewis <jlewis at lewis.org> wrote:
> On Tue, 25 Feb 2014, Phil Rosenthal wrote:
>
>> We have had a reoccuring NTP Reflected DDoS attack against one of our =
>> customers, and would love it if we could get some of these open NTP =
>> servers could be closed up.
>
> ack for 12989, but I wonder...the bulk mode whois data you supplied, is that from the most recent attack (i.e. fresh) or aggregated data from a number of "relatively recent" attacks? The IP from our AS in your data, 209.197.24.226, was found during an internally done scan of our space a few weeks ago. We notified the customer. Then it was allegedly used in an attack, and we notified the customer again. The server was said to have been fixed, and our testing with ntpdc -c monlist appears to confirm it was fixed on or before Feb 20th. It showing up in your data from Feb 25th is curious.
>
> --
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> | therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the nsp-security
mailing list