Fwd: port 123 reflection attacks

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Wed Dec 30 10:11:39 UTC 2015

hi ya colin

On 12/30/15 at 09:04am, Colin Johnston wrote:
> Where does it say we need to contact home cert instead on your website ?

because cncert at cert.org.cn asked ?

> verification of what ?

i'd want to see if it's a simple port scan by a script kidddie vs 
a more serious upcoming DOS attack from attackers with a "evil purpose"

they might just be poking around to find vulnerable ntpd servers ?

since there's been no satisfactory answer in 5 days, 
in the meantime, i'd suggest:
- be sure ntpd is properly configured
- be sure to be running the latest ( no known exploits ) ntpd server
- ntpd servers should only be necessary for your servers ...
  and incoming connections from outside should never reach your ntpd
- use an alternative ntpd server/source on a different wire

> HSOFT ranges have been compromised by NTP reflection attacks 

there's a difference between compromized vs port scanning ( probes )

- compromized... hsoft need to fix it ( upgrade and reconfigure ntpd ) 

- probes/scanners ... nothing much you can do other than limit your 
  outgoing ( 123/udp) replies

- there's thousands of probes occuring constantly on various ports ...

> and the NTP servers hosted by HSOFT need to have a NTP update.

they better get going to update their ntpd and configs ... 

i'd rattle hsoft's cage harder ... :-)

> This has been discussed on NANOG and I also sent information in Chinese to aid debug as well.
> Have had no response from HSOFT…


i wonder what else is occupying their time

magic pixie dust
# DDoS-Simulator.net

> > From: "cncertcc" <cncert at cert.org.cn>
> > Subject: Re:Fwd: port 123 reflection attacks
> > Date: 30 December 2015 at 08:15:28 GMT
> > To: "Colin Johnston" <colinj at gt86car.org.uk>
> > 
> > Greetings,
> > Please forward the case to the corresponding CERT you are located in first to have it transferred to CNCERT after verification. Thanks for your understanding.
> >>> From: Colin Johnston <colinj at gt86car.org.uk <mailto:colinj at gt86car.org.uk>>
> >>> Subject: port 123 reflection attacks
> >>> Date: 25 December 2015 at 11:19:26 GMT
> >>> To: 16036260 at qq.com <mailto:16036260 at qq.com>, ipas at cnnic.cn <mailto:ipas at cnnic.cn>
> >>> Cc: Colin Johnston <colinj at gt86car.org.uk <mailto:colinj at gt86car.org.uk>>
> >>> 
> >>> please stop the port 123 reflection attacks from

More information about the NANOG mailing list