TWC (AS11351) blocking all NTP?

Jared Mauch jared at puck.nether.net
Mon Feb 3 18:39:10 UTC 2014


On Feb 3, 2014, at 12:45 AM, Michael DeMan <nanog at deman.com> wrote:

> The recently publicized mechanism to leverage NTP servers for amplified DoS attacks is seriously effective.
> I had a friend who had a local ISP affected by this Thursday and also another case where just two asterisk servers saturated a 100mbps link to the point of unusability.
> Once more - this exploit is seriously effective at using bandwidth by reflection.

The challenge I see is there's some hosts like this one:

[jared at nowherelikehome ]$ ntpq  -c rv 111.107.252.142
associd=0 status=06f4 leap_none, sync_ntp, 15 events, freq_mode,
version="ntpd 4.2.0-r Fri Jul 22 09:50:16 JST 2011 (1)",
processor="seil5", system="NetBSD/3.1_STABLE", leap=00, stratum=5,
precision=-18, rootdelay=9.138, rootdispersion=132.247, peer=58012,
refid=172.22.203.213,
reftime=d685a094.9c806290  Sun, Jan 19 2014  0:53:40.611, poll=10,
clock=d69a5d3c.c6b1a2a4  Mon, Feb  3 2014 18:23:56.776, state=4,
offset=-0.598, frequency=-1.463, jitter=0.229, stability=0.042

This host will happily generate 100GB response to a single packet.

They even have advisories posted:

http://www.seil.jp/support/security/a01411.html

Getting the information into the admin is hard.  Time zones, language barriers, folks understanding why having unmaintained NTP hosts out there can be a significant issue.  We found many ILO/IPMI interfaces that have NTP you can't do anything about (no filters, etc) - let alone patch .. 

Through ACL (hopefully not) or folks fixing hosts the following trend is observable in # of unique hosts that respond to NTP packets:

  1529866 2014-01-10
  1402569 2014-01-17
   803156 2014-01-24
   564027 2014-01-31

I will say that an awful lot of "firewall" operators out there seem to now be saying "NTP BAD" and generating panic'ed emails about NTP traffic.

- Jared







More information about the NANOG mailing list