[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses

Phil Rosenthal pr at isprime.com
Tue Feb 25 13:51:31 EST 2014 

The timestamp of the beginning of the attack was Feb 25, 2014 at 3:58AM EST, and ended at 5:30AM EST.

The response packets we saw were approx 450 bytes, but I don’t have the exact packet length, or command type as I don’t have raw packet captures unfortunately.

Regards,
-Phil

On Feb 25, 2014, at 11:42 PM, Smith, Donald <Donald.Smith at CenturyLink.com> wrote:

> I will keep saying this (to us-cert and anyone else that will listen). get_monlist1 amounts to 1/100 of the queries. I probably need to see how much of the reflection it provides but that is hard to do in netflow (or at least I haven't thought of a good way to do that yet.
> 
> But get_monlist1 is around 220 octets (ip packet wise add Ethernet headers etc depending on what your looking at.)
> 
> The MAIN query I see is 36 bytes. I think it is just a "time request?" but still learning about ntp packets and don't have a packet capture of that yet. You can find the get_monlist1 wireshark packet if you google around a bit it is 234 bytes if I recall correctly (with Ethernet header).
> 
> Time stamps help too:)
> 
> I am running a netflow report based on the attacking ips and will get you some metadata results later today.
> 
> 
> 
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at centurylink.com
> 
> 
> 
> From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Phil Rosenthal [pr at isprime.com]
> Sent: Tuesday, February 25, 2014 11:29 AM
> To: Jon Lewis
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses
> 
> 
> ----------- nsp-security Confidential --------
> 
> That was from an attack that was active at the time I sent the email. (Feb 25)
> 
> That particular attack lasted approximately 1.5 hours (which is typical for the attacks we have been seeing on an approximately weekly basis towards this customer).
> 
> I believe this attack was not a monlist attack, as many of the IP addresses I have tried here are not responding to monlist queries, but there are other commands that are abusable.
> 
> Unfortunately, I do not have a raw packet capture to see what the actual request type was.
> 
> Regards,
> -Phil
> On Feb 25, 2014, at 9:10 PM, Jon Lewis <jlewis at lewis.org> wrote:
> 
>> On Tue, 25 Feb 2014, Phil Rosenthal wrote:
>> 
>>> We have had a reoccuring NTP Reflected DDoS attack against one of our =
>>> customers, and would love it if we could get some of these open NTP =
>>> servers could be closed up.
>> 
>> ack for 12989, but I wonder...the bulk mode whois data you supplied, is that from the most recent attack (i.e. fresh) or aggregated data from a number of "relatively recent" attacks?  The IP from our AS in your data, 209.197.24.226, was found during an internally done scan of our space a few weeks ago.  We notified the customer.  Then it was allegedly used in an attack, and we notified the customer again.  The server was said to have been fixed, and our testing with ntpdc -c monlist appears to confirm it was fixed on or before Feb 20th.  It showing up in your data from Feb 25th is curious.
>> 
>> --
>> ----------------------------------------------------------------------
>> Jon Lewis, MCP :)           |  I route
>>                            |  therefore you are
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list