[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses

[Phil Rosenthal]

On Mar 2, 2014, at 9:53 PM, Brian J Smith-Sweeney <bsmithsweeney at nyu.edu> wrote:

> 1) Kicking anyone off the network that's reported to us as being abused.  We used to just reserve this for compromised systems but feel it's appropriate when we're sourcing DoS (particularly ntp, which has gone from a rare to nearly daily occurrence).
> 2) Scanning the network for not-yet-abused systems (nmap with ntp-monlist script) .  This is fraught with the standard perils of scanning for udp but it's turned up a bunch of hosts we didn't already know about.  I've got a short Python script to parse nmap's xml output for vulnerable systems.  
> 3) Notify vulnerable systems with a sunset date - fix or off by X time.
> 
> I'm sharing this because I know folks sometimes find it useful to have peers to point at to help justify action to management.  If that's you, feel free to tell yours this is what we're doing.  
> 
> I'm talking to our NOC team about what are capabilities are for handling this at the border, but we don't do much filtering now, and it's tricky.  
> 

I agree that your approach is the most sensible one.

Filtering at the border is a bad precedent.  A world with unreliable NTP is going to cause ‘mysterious’ problems in all sorts of unexpected places.  Let’s try to avoid throwing the baby out with the bath water and just fix the NTP DRDoS problem without making new ones.

Also — Thanks to you and everyone who has worked to clean up NTP reflectors on their network.  We received another attack today — 90% smaller.  I am hopeful that this indicates that 90% of the list I posted has already been cleaned. [Though, you know how these things go, and tomorrow may be an even larger attack]

Regards,
-Phil