ddos attack blog

Fri Feb 14 01:01:27 UTC 2014

On Feb 13, 2014, at 1:47 PM, John <jschiel at flowtools.net> wrote:

> On 02/13/2014 10:06 AM, Cb B wrote:
>> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH,
>> DTAG and others
>> 
>> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
>> 
>> Standard plug for http://openntpproject.org/ and
>> http://openresolverproject.org/ and bcp38 , please fix/help.
>> 
>> For those of you paying attention to the outage list, this is a pretty
>> big deal that has had daily ramification for some very big networks
>> https://puck.nether.net/pipermail/outages/2014-February/date.html
>> 
>> In general, i think UDP is doomed to be blocked and rate limited --
>> tragedy of the commons.  But, it would be nice if folks would just fix
>> the root of the issue so the rest of us don't have go there...
> 
> UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices.
> 
> Thinking on it again, maybe blocking UDP isn't all that bad. Would force the vendors to not 'hide' their protocol.
> 

Be careful what you wish for.  I know some people have just blocked all NTP to keep their servers from participating in attacks.  This is common in places where they hand off a VM/host to a customer and no longer have access despite it being in their environment.

I would actually like to ask for those folks to un-block NTP so there is proper data on the number of hosts for those researching this.  The right thing to do is reconfigure them.  I've seen a good trend line in NTP servers being fixed, and hope we will see more of that in the next few weeks.

I've seen maybe 100-200 per-ASN reports handed out to network operators.  If you want yours, please e-mail ntp-scan at puck.nether.net to obtain it.  Put your ASN in the subject line and/or body.

- Jared (and others like Patrick that presented on the projects behalf).