[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses
Smith, Donald
Donald.Smith at CenturyLink.com
Tue Feb 25 13:42:30 EST 2014
I will keep saying this (to us-cert and anyone else that will listen). get_monlist1 amounts to 1/100 of the queries. I probably need to see how much of the reflection it provides but that is hard to do in netflow (or at least I haven't thought of a good way to do that yet.
But get_monlist1 is around 220 octets (ip packet wise add Ethernet headers etc depending on what your looking at.)
The MAIN query I see is 36 bytes. I think it is just a "time request?" but still learning about ntp packets and don't have a packet capture of that yet. You can find the get_monlist1 wireshark packet if you google around a bit it is 234 bytes if I recall correctly (with Ethernet header).
Time stamps help too:)
I am running a netflow report based on the attacking ips and will get you some metadata results later today.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at centurylink.com
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Phil Rosenthal [pr at isprime.com]
Sent: Tuesday, February 25, 2014 11:29 AM
To: Jon Lewis
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses
----------- nsp-security Confidential --------
That was from an attack that was active at the time I sent the email. (Feb 25)
That particular attack lasted approximately 1.5 hours (which is typical for the attacks we have been seeing on an approximately weekly basis towards this customer).
I believe this attack was not a monlist attack, as many of the IP addresses I have tried here are not responding to monlist queries, but there are other commands that are abusable.
Unfortunately, I do not have a raw packet capture to see what the actual request type was.
Regards,
-Phil
On Feb 25, 2014, at 9:10 PM, Jon Lewis <jlewis at lewis.org> wrote:
> On Tue, 25 Feb 2014, Phil Rosenthal wrote:
>
>> We have had a reoccuring NTP Reflected DDoS attack against one of our =
>> customers, and would love it if we could get some of these open NTP =
>> servers could be closed up.
>
> ack for 12989, but I wonder...the bulk mode whois data you supplied, is that from the most recent attack (i.e. fresh) or aggregated data from a number of "relatively recent" attacks? The IP from our AS in your data, 209.197.24.226, was found during an internally done scan of our space a few weeks ago. We notified the customer. Then it was allegedly used in an attack, and we notified the customer again. The server was said to have been fixed, and our testing with ntpdc -c monlist appears to confirm it was fixed on or before Feb 20th. It showing up in your data from Feb 25th is curious.
>
> --
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> | therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list