[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses

Brian J Smith-Sweeney bsmithsweeney at nyu.edu
Sun Mar 2 10:53:17 EST 2014 

On Tue, Feb 25, 2014 at 5:20 AM, Phil Rosenthal <pr at isprime.com> wrote:

> ----------- nsp-security Confidential --------
>
>
> Hello all,
>
> We have had a reoccuring NTP Reflected DDoS attack against one of our
> customers, and would love it if we could get some of these open NTP servers
> could be closed up.
>
> The full list is attached as a text file due to it's size.
>
> By traffic, the top ASN's are 4713, 701, 3462, 7922, 9737, 4134, 6830,
> 12741, 1659, 43700, 174, 9808, 3269, 45899, 2907, 7018, 3356, 9498, 6128,
> 36531, 13999, 209, 14, 3215, 8732, 47764, 3549, 25019, 3320, 13768.
>
> Thanks in advance!
> Regards,
> -Phil Rosenthal
>
>
> AS12 here, thanks Phil, sorry for the late response.  If anyone else  is
interested we're currently taking the following actions to handle the
general ntp problem:

1) Kicking anyone off the network that's reported to us as being abused.
 We used to just reserve this for compromised systems but feel it's
appropriate when we're sourcing DoS (particularly ntp, which has gone from
a rare to nearly daily occurrence).
2) Scanning the network for not-yet-abused systems (nmap with ntp-monlist
script) .  This is fraught with the standard perils of scanning for udp but
it's turned up a bunch of hosts we didn't already know about.  I've got a
short Python script to parse nmap's xml output for vulnerable systems.
3) Notify vulnerable systems with a sunset date - fix or off by X time.

I'm sharing this because I know folks sometimes find it useful to have
peers to point at to help justify action to management.  If that's you,
feel free to tell yours this is what we're doing.

I'm talking to our NOC team about what are capabilities are for handling
this at the border, but we don't do much filtering now, and it's tricky.

-- 
Cheers,
Brian

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney , Assistant Director
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the nsp-security mailing list