TWC (AS11351) blocking all NTP?
Jared Mauch
jared at puck.nether.net
Mon Feb 3 18:39:10 UTC 2014
On Feb 3, 2014, at 12:45 AM, Michael DeMan <nanog at deman.com> wrote:
> The recently publicized mechanism to leverage NTP servers for amplified DoS attacks is seriously effective.
> I had a friend who had a local ISP affected by this Thursday and also another case where just two asterisk servers saturated a 100mbps link to the point of unusability.
> Once more - this exploit is seriously effective at using bandwidth by reflection.
The challenge I see is there's some hosts like this one:
[jared at nowherelikehome ]$ ntpq -c rv 111.107.252.142
associd=0 status=06f4 leap_none, sync_ntp, 15 events, freq_mode,
version="ntpd 4.2.0-r Fri Jul 22 09:50:16 JST 2011 (1)",
processor="seil5", system="NetBSD/3.1_STABLE", leap=00, stratum=5,
precision=-18, rootdelay=9.138, rootdispersion=132.247, peer=58012,
refid=172.22.203.213,
reftime=d685a094.9c806290 Sun, Jan 19 2014 0:53:40.611, poll=10,
clock=d69a5d3c.c6b1a2a4 Mon, Feb 3 2014 18:23:56.776, state=4,
offset=-0.598, frequency=-1.463, jitter=0.229, stability=0.042
This host will happily generate 100GB response to a single packet.
They even have advisories posted:
http://www.seil.jp/support/security/a01411.html
Getting the information into the admin is hard. Time zones, language barriers, folks understanding why having unmaintained NTP hosts out there can be a significant issue. We found many ILO/IPMI interfaces that have NTP you can't do anything about (no filters, etc) - let alone patch ..
Through ACL (hopefully not) or folks fixing hosts the following trend is observable in # of unique hosts that respond to NTP packets:
1529866 2014-01-10
1402569 2014-01-17
803156 2014-01-24
564027 2014-01-31
I will say that an awful lot of "firewall" operators out there seem to now be saying "NTP BAD" and generating panic'ed emails about NTP traffic.
- Jared
More information about the NANOG
mailing list