[Outages-discussion] [outages] enough of this ntp bs.

Frank Bulk frnkblk at iname.com
Sat Mar 8 12:46:56 EST 2014 

Are you able to provide a list of the IP addresses that being used for this
reflection attack?   I know that CloudFlare listed just the AS'es that has
IPs in it and that helped some people get additional traction for resources
to be applied to this issue.  It's one thing for their open NTP or DNS
server to be on Jared Maruch's lists, it's another when they are actually
used in an attack.

 

Frank

 

From: Bryan Socha [mailto:bryan at serverstack.com] 
Sent: Saturday, March 08, 2014 11:25 AM
To: Frank Bulk
Cc: outages-discussion; Terrence
Subject: Re: [Outages-discussion] [outages] enough of this ntp bs.

 

they are but it's taking out their backbones in the area, they are helping
but they are literally blocking as far away as possible..     personally,
the problem is the eyeball devices and their setup and how they ignore that
they are the problem.    This is getting really old really fast and it's
time they do something about it.   We all took care of business but they are
the source of the problem and it's annoying..  

I know I'm just venting and not really on topic for outages but this is just
nuts..   Things need to change and change fast.   this might be starting
with us but give it 3 weeks and you'll all be seeing it too....

btw if you don't know, this is about digitalocean, not serverstack, I just
use this email on puck.   btw, we're hiring if anyone is bored of their no
attack comfy job that they get to go home at night and not work on the
weekends..    




Bryan Socha

Network Engineer

646.450.0472 |  <mailto:bryan at serverstack.com> bryan at serverstack.com

 

ServerStack | Scale Big

 

On Sat, Mar 8, 2014 at 12:16 PM, Frank Bulk <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

Forgive my naivety, but if the target port is the same (UDP 123) and there
are only nine target IPs, why aren't the upstream providers applying a
simple filter upstream of "ip deny all <router ip> udp 123" ?

 

Frank

 

From: Bryan Socha [mailto:bryan at serverstack.com
<mailto:bryan at serverstack.com> ] 
Sent: Saturday, March 08, 2014 10:32 AM
To: Terrence
Cc: Frank Bulk; outages-discussion at outages.org
<mailto:outages-discussion at outages.org> 
Subject: Re: [Outages-discussion] [outages] enough of this ntp bs.

 

that won't help, their not attacking "me", they are attacking the ip address
of all 9 provider links on my peering routers.   I can't offload the
cleaning, it's the datacenter itself under attack but on ips I can't even
blackhole.    I am at the mercy of providers to block their ip from being
attacked without dropping my datacenter.   2 days ago we changed ips of the
router and it took 45 seconds for the attack to move..    even if I had
100gbps links, the attack is still too large to stop.




Bryan Socha

Network Engineer

646.450.0472 <tel:646.450.0472>  |  <mailto:bryan at serverstack.com>
bryan at serverstack.com

 

ServerStack | Scale Big

 

On Sat, Mar 8, 2014 at 11:27 AM, Terrence <terrence.oconnor at gmail.com
<mailto:terrence.oconnor at gmail.com> > wrote:

Sounds like you need some DDoS help. Let me know. ;)

We've been certainly seeing an uptick in the number and size of attacks
lately. I am not sure why the last mile providers aren't blocking spoofed
source addresses.

There really isn't a good mitigation strategy other than offloading the
attacks to a scalable provider. Or having ISPs validate the source prior to
forwarding the packet. You just can't mitigate 450Gbps attacks at origin
infrastructure.

 


-

Terrence

Sent from my iPhone please excuse any errors.


On Mar 8, 2014, at 11:10 AM, "Frank Bulk" <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

If you've seen more than 300 Gbps you should blog about it.  =) The largest
documented to date is CloudFlare's. 

 

Are your upstream providers blocking NTP packets larger than a certain size?

 

Frank

 

From: Bryan Socha [mailto:bryan at serverstack.com] 
Sent: Saturday, March 08, 2014 10:04 AM
To: Frank Bulk
Cc: outages-discussion at outages.org <mailto:outages-discussion at outages.org> 
Subject: Re: [outages] enough of this ntp bs.

 

It might sound like a joke but I've seen hundreds of gigs of attacks every
morning.  It'w all coming from home CPE devices and I think they need to
start paying us for their incompetence.   in 2014, why is this a
problem!!?!???!?!?!!?  it's time to be responsible.   




Bryan Socha

Network Engineer

646.450.0472 <tel:646.450.0472>  |  <mailto:bryan at serverstack.com>
bryan at serverstack.com

 

ServerStack | Scale Big

 

On Sat, Mar 8, 2014 at 10:57 AM, Frank Bulk <frnkblk at iname.com
<mailto:frnkblk at iname.com> > wrote:

We've seen more DDoS attacks than normal, too, not just on ourselves, but on
other networks where I have visibity.  Funny that I saw an email in my inbox
from Arbor Networks regarding an NTP DDoS webinar..

 

Frank

 

From: Outages [mailto:outages-bounces at outages.org
<mailto:outages-bounces at outages.org> ] On Behalf Of Bryan Socha
Sent: Saturday, March 08, 2014 9:41 AM
To: outages at outages.org <mailto:outages at outages.org> 
Subject: [outages] enough of this ntp bs.

 

all week long I'm seeing ntp attacks on provider ips on my router.    Enough
of this bs, it's time to stand up and block this BS....

 

_______________________________________________
Outages-discussion mailing list
Outages-discussion at outages.org <mailto:Outages-discussion at outages.org> 
https://puck.nether.net/mailman/listinfo/outages-discussion

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20140308/1226cc96/attachment-0001.html>

More information about the Outages-discussion mailing list