[nsp-sec] NTP Amps
Dominik Bay
db at rrbone.net
Tue Apr 14 18:23:56 EDT 2015
I informed AS251 and AS6805 about the hosts and time of the attack. Thanks!
On 04/14/2015 11:36 PM, Krista Hickey wrote:
> ----------- nsp-security Confidential --------
>
>
>
> [Apologies if this is a duplicate email]
>
> Hi All
>
> Between approx April 13, 00:20 EST and April 14, 03:30 EST we've had a variety of fairly sizeable (up to 60Gbps) NTP amplification attacks on three separate customers and in one case the attackers, fairly rapidly, followed the customer through four IP changes. The attacks were not sustained over the entire ~26 hours but I counted at least 14 unique attacks > 10Gbps over that time frame.
>
> I can't find any obvious connection between the customers but it does not appear to be typical gaming type attacks and what's notable is that the attackers/service used pretty much the same ~400 NTP amplifiers for all the attacks. Due to my delay in posting the list I removed the ~100 IPs that are no longer responding to the NTP amp queries, apologies if I missed any.
>
> Appreciate any efforts to remediate these vulnerable NTP hosts as the attacker seems to be using them quite efficiently to generate fairly sizeable attacks which is becoming a bit annoying. Feel free to share details as required for remediation but please no attribution to me, my organization or the group here.
>
> Thanks
> Krista
> 7992
--
rrbone UG (haftungsbeschraenkt) - Leibnizstr. 8a - 44147 Dortmund
HR B 23168 Amtsgericht Dortmund - Geschaeftsfuehrer: Dominik Bay
More information about the nsp-security
mailing list