Fwd: DDoS attack reported through your network

250 views

Skip to first unread message

Russell Senior

unread,

Feb 11, 2014, 5:04:28 PM2/11/14

to ptp...@googlegroups.com

---------- Forwarded message ----------
From: "Network Abuse" <Networ...@integratelecom.com>
Date: Feb 11, 2014 1:26 PM
Subject: DDoS attack reported through your network
To: "rus...@personaltelco.net" <rus...@personaltelco.net>
Cc:

Good afternoon,

I have received an alert about a DDoS attack that appears to be using your network as part of the attack.

The service being abused is NTP (Network Time Protocol).

If you would please, forward this email to your network technician (if that is not part of your role) for isolation and resolution.

Also, you may want to review the alert from the U.S. Cert http://www.us-cert.gov/ncas/alerts/TA14-013A

Thank you very much,

Randy Heim | Abuse Specialist

Integra | 4400 NE 77th Ave | Vancouver, WA 98662

Phone 800.322.3961 | fax 360.816.5317

www.integratelecom.com

A public NTP server on your network, running on IP address 70.102.34.162, participated in a very large-scale attack against a customer of ours today, generating UDP responses to spoofed "monlist" requests that claimed to be from the attack target.

Please consider reconfiguring this NTP server in one or more of these ways:

1. If you run ntpd, upgrading to the latest version, which removes the "monlist" command that is used for these attacks; alternately, disabling the monitoring function by adding "disable monitor" to your /etc/ntp.conf file.

2. Setting the NTP installation to act as a client only. With ntpd, that can be done with "restrict default ignore" in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.

3. Adjusting your firewall or NTP server configuration so that it only serves your users and does not respond to outside IP addresses.

If you don't mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses -- silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one.

Fixing open NTP servers is important; with the 400x+ amplification factor of NTP DRDoS attacks -- one 40-byte-long request usually generates 18252 bytes worth of response traffic -- it only takes one machine on an unfiltered 1 Gbps link to create a 450+ Gbps attack!

If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack.