[nsp-sec] NTP reflection attacks

Phil Rosenthal pr at isprime.com
Wed Jan 8 21:23:05 EST 2014 

ACK for 23393. 

Fortunately we saved some embarrassment — I noticed a pattern of abuse in mid-december via netflow for port 123 traffic, I alerted our abuse desk to search for open NTP on our network, and we had over 4000 servers answering public NTP.

136 IPs answering is still not great, and we are working on the remaining ones. 

I also think it is notable, though
Prior to securing the 4000 servers — we would see occasional spikes (of port 123) to ~2Gbps, but these spikes were all under 5 minutes long. (Typically 1-2 minutes). These spikes would happen maybe once a week. I think it is somewhat unusual that people are launching DoS attacks for such short amounts of time, since whenever we are on the receiving end, they typically go on for days. The servers that were being abused for these attacks were primarily those used as authoritative DNS servers (with unsecured ntpd).

After securing the 4000 servers — we have not seen any spikes on outbound port 123 traffic, so the remaining 136 IPs that are answering were not being abused. Inbound spikes also have gone away, so it seems that the attackers have noticed those IPs have been secured.

Regards,
-Phil
On Jan 8, 2014, at 2:39 PM, Jared Mauch <jared at puck.nether.net> wrote:

> ----------- nsp-security Confidential --------
> 
> On Thu, Jan 02, 2014 at 04:22:44PM +0000, Wentworth, Brett wrote:
>> ----------- nsp-security Confidential --------
>> 
>> We are seeing a spike.  Anyone else?
> 
> Sure.
> 
> http://openntpproject/ntp-worst-cymru.txt is available for your remediation action.
> The website will be searchable soon, perhaps with the data from tomorrows scan.
> 
> - Jared
> 
> -- 
> Jared Mauch | +1 313 506 4307 * AS2914
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list