[nsp-sec] NTP reflection attacks

[Phil Rosenthal]

Just a heads up.  We are now starting to see a new type of attack on downstream customers, with NTP monlist directed at an open chargen.

Attack pattern looks like this:
* Scan victim network for open chargen
* Say Victim = 1.1.1.1, NTP = 2.2.2.2
* Spoof 1.1.1.1:19 -> 2.2.2.2:123 with an NTP Monlist request
* 2.2.2.2:123 replies to 1.1.1.1:19 with an amplified response
* 1.1.1.1:19 then replies to 2.2.2.2:123 with a chargen response (another amplification)

This causes the victim's network to be completely saturated in *both* directions.

Perhaps now is a good time to start scanning for open Chargen as well, and get those locked down, too?

-Phil

On Jan 14, 2014, at 12:49 PM, Andrew W Elble <aweits at discipline.rit.edu> wrote:

> ----------- nsp-security Confidential --------
> 
> 
> ACK for AS4385. Thanks!
> 
> Jared Mauch <jared at puck.Nether.net> writes:
> 
>> ----------- nsp-security Confidential --------
>> 
>> On Thu, Jan 02, 2014 at 04:22:44PM +0000, Wentworth, Brett wrote:
>>> ----------- nsp-security Confidential --------
>>> 
>>> We are seeing a spike.  Anyone else?
>> 
>> Sure.
>> 
>> http://openntpproject/ntp-worst-cymru.txt is available for your remediation action.
>> The website will be searchable soon, perhaps with the data from tomorrows scan.
>> 
>> - Jared
> 
> -- 
> Andrew W. Elble
> aweits at discipline.rit.edu
> Infrastructure Engineer, Communications Technical Lead
> Rochester Institute of Technology
> PGP: BFAD 8461 4CCF DC95 DA2C B0EB 965B 082E 863E C912
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________