[Outages-discussion] [outages] enough of this ntp bs.

Frank Bulk frnkblk at iname.com
Sat Mar 8 12:16:46 EST 2014


Forgive my naivety, but if the target port is the same (UDP 123) and there
are only nine target IPs, why aren't the upstream providers applying a
simple filter upstream of "ip deny all <router ip> udp 123" ?

 

Frank

 

From: Bryan Socha [mailto:bryan at serverstack.com] 
Sent: Saturday, March 08, 2014 10:32 AM
To: Terrence
Cc: Frank Bulk; outages-discussion at outages.org
Subject: Re: [Outages-discussion] [outages] enough of this ntp bs.

 

that won't help, their not attacking "me", they are attacking the ip address
of all 9 provider links on my peering routers.   I can't offload the
cleaning, it's the datacenter itself under attack but on ips I can't even
blackhole.    I am at the mercy of providers to block their ip from being
attacked without dropping my datacenter.   2 days ago we changed ips of the
router and it took 45 seconds for the attack to move..    even if I had
100gbps links, the attack is still too large to stop.




Bryan Socha

Network Engineer

646.450.0472 |  <mailto:bryan at serverstack.com> bryan at serverstack.com

 

ServerStack | Scale Big

 

On Sat, Mar 8, 2014 at 11:27 AM, Terrence <terrence.oconnor at gmail.com
<mailto:terrence.oconnor at gmail.com> > wrote:

Sounds like you need some DDoS help. Let me know. ;)

We've been certainly seeing an uptick in the number and size of attacks
lately. I am not sure why the last mile providers aren't blocking spoofed
source addresses.

There really isn't a good mitigation strategy other than offloading the
attacks to a scalable provider. Or having ISPs validate the source prior to
forwarding the packet. You just can't mitigate 450Gbps attacks at origin
infrastructure.

 


-

Terrence

Sent from my iPhone please excuse any errors.


On Mar 8, 2014, at 11:10 AM, "Frank Bulk" <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

If you've seen more than 300 Gbps you should blog about it.  =) The largest
documented to date is CloudFlare's. 

 

Are your upstream providers blocking NTP packets larger than a certain size?

 

Frank

 

From: Bryan Socha [mailto:bryan at serverstack.com] 
Sent: Saturday, March 08, 2014 10:04 AM
To: Frank Bulk
Cc: outages-discussion at outages.org <mailto:outages-discussion at outages.org> 
Subject: Re: [outages] enough of this ntp bs.

 

It might sound like a joke but I've seen hundreds of gigs of attacks every
morning.  It'w all coming from home CPE devices and I think they need to
start paying us for their incompetence.   in 2014, why is this a
problem!!?!???!?!?!!?  it's time to be responsible.   




Bryan Socha

Network Engineer

646.450.0472 <tel:646.450.0472>  |  <mailto:bryan at serverstack.com>
bryan at serverstack.com

 

ServerStack | Scale Big

 

On Sat, Mar 8, 2014 at 10:57 AM, Frank Bulk <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

We've seen more DDoS attacks than normal, too, not just on ourselves, but on
other networks where I have visibity.  Funny that I saw an email in my inbox
from Arbor Networks regarding an NTP DDoS webinar..

 

Frank

 

From: Outages [mailto:outages-bounces at outages.org] On Behalf Of Bryan Socha
Sent: Saturday, March 08, 2014 9:41 AM
To: outages at outages.org <mailto:outages at outages.org> 
Subject: [outages] enough of this ntp bs.

 

all week long I'm seeing ntp attacks on provider ips on my router.    Enough
of this bs, it's time to stand up and block this BS....

 

_______________________________________________
Outages-discussion mailing list
Outages-discussion at outages.org <mailto:Outages-discussion at outages.org> 
https://puck.nether.net/mailman/listinfo/outages-discussion

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20140308/d766e48f/attachment.html>


More information about the Outages-discussion mailing list