all week long I'm seeing ntp attacks on provider ips on my router. Enough of this bs, it's time to stand up and block this BS....
On Mar 8, 2014 7:45 AM, "Bryan Socha" <bryan@serverstack.com> wrote:
all week long I'm seeing ntp attacks on provider ips on my router.
Enough of this bs, it's time to stand up and block this BS....
+1 I suggest you understand the baseline udp load of your network and do a flat 5x the baseline policer. This will capture attacks for dns, ntp, chargen and all the other sludge in udp. Udp sucks. Baseline, police, done. Also see http://openntpproject.org CB _______________________________________________
Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Do I really have to go there again? http://www.bcp38.info
all week long I'm seeing ntp attacks on provider ips on my router. Enough of this bs, it's time to stand up and block this BS.... _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
This will happen when there is a financial disincentive to maintain the status quo. That is, when ISPs who don't do this start getting sued for being complicit. On Mar 8, 2014 5:54 PM, "Alain Hebert" <ahebert@pubnix.net> wrote:
Do I really have to go there again?
all week long I'm seeing ntp attacks on provider ips on my router. Enough of this bs, it's time to stand up and block this BS.... _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
In short, yes.. Now to get the ISPs to implement it. I am still not a fan of UDP. - Terrence Sent from my iPhone please excuse any errors.
On Mar 8, 2014, at 12:52 PM, "Alain Hebert" <ahebert@pubnix.net> wrote:
Do I really have to go there again?
all week long I'm seeing ntp attacks on provider ips on my router. Enough of this bs, it's time to stand up and block this BS.... _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Its not UDP's fault, its the amplifying effects of an open NTP server thats the issue, and NTP servers are in all kinds of places and having a secure config not an end user easy experience. Even things like JunOS run ntp as open by default. UDP is great for what its designed for, connectionless data exchanges... and TCP SYN attacks can be pretty big, and back in the old days ICMP smurf attacks were all the rage. Its also just a matter of time before someone discovers theres a common IPv6 based hack and enough v6 nodes in the world to do some damage. I'm also not convinced BCP38 will make the issue go away, it only takes a small number of ISPs to either not be implementing it or accidentally stop filtering and modern server and home broadband connection speeds are fast enough that a handful of bots can generate very large amounts of traffic. I think ISPs and upstreams need to be more proactive in identifying open NTP servers in their customers networks. Steve On 8 March 2014 22:48, Terrence <terrence.oconnor@gmail.com> wrote:
In short, yes.. Now to get the ISPs to implement it. I am still not a fan of UDP.
- Terrence Sent from my iPhone please excuse any errors.
On Mar 8, 2014, at 12:52 PM, "Alain Hebert" <ahebert@pubnix.net> wrote:
Do I really have to go there again?
all week long I'm seeing ntp attacks on provider ips on my router. Enough of this bs, it's time to stand up and block this BS.... _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On Mar 8, 2014 11:13 AM, "Stephen Wilcox" <steve.wilcox@ixreach.com> wrote:
Its not UDP's fault, its the amplifying effects of an open NTP server
thats the issue, and NTP servers are in all kinds of places and having a secure config not an end user easy experience. Even things like JunOS run ntp as open by default.
UDP is great for what its designed for, connectionless data exchanges...
and TCP SYN attacks can be pretty big, and back in the old days ICMP smurf attacks were all the rage. Its also just a matter of time before someone discovers theres a common IPv6 based hack and enough v6 nodes in the world to do some damage.
I'm also not convinced BCP38 will make the issue go away, it only takes a
small number of ISPs to either not be implementing it or accidentally stop filtering and modern server and home broadband connection speeds are fast enough that a handful of bots can generate very large amounts of traffic. I think ISPs and upstreams need to be more proactive in identifying open NTP servers in their customers networks.
If its not ntp today its chargen and dns tomorrow and snmp the day after that. http://www.internetsociety.org/doc/amplification-hell-revisiting-network-pro...
Steve
On 8 March 2014 22:48, Terrence <terrence.oconnor@gmail.com> wrote:
In short, yes.. Now to get the ISPs to implement it. I am still not a
fan of UDP.
- Terrence Sent from my iPhone please excuse any errors.
On Mar 8, 2014, at 12:52 PM, "Alain Hebert" <ahebert@pubnix.net> wrote:
Do I really have to go there again?
all week long I'm seeing ntp attacks on provider ips on my router. Enough of this bs, it's time to stand up and block this BS.... _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
----- Original Message -----
From: "Stephen Wilcox" <steve.wilcox@ixreach.com>
I'm also not convinced BCP38 will make the issue go away, it only takes a small number of ISPs to either not be implementing it or accidentally stop filtering and modern server and home broadband connection speeds are fast enough that a handful of bots can generate very large amounts of traffic. I think ISPs and upstreams need to be more proactive in identifying open NTP servers in their customers networks.
Sure, but at least a server which is being used to bank off of, but for some reason cannot immediately fix things the right way, will be helped by -38, since source packets will have *real* filterable addresses. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
those that are interested in getting a list of NTP amplifiers in their network can e-mail ntp-scan@puck.nether.net with their AS number in the subject line and get a list of NTP and DNS amplifiers in your network. As of 2014-03-07 there were: 127,621 hosts that responded to "ntpdc -n -c monlist 192.0.2.1” (MONLIST query) 4,355,475 hosts that responded to "ntpq -c rv 192.0.2.1” (version query) You can also search any /22 up to /32 online at the OpenNTPProject.org website. - Jared
participants (8)
-
Alain Hebert -
Avleen Vig -
Bryan Socha -
Cb B -
Jared Mauch -
Jay Ashworth -
Stephen Wilcox -
Terrence