Re: [c-nsp] NTP DDoS

Richard Clayton Wed, 12 Feb 2014 08:09:25 -0800

The details of the attack I was involved with were

- upstream bandwidth spike from customer to Internet (only flatlined due to
CPE buffer).
- downstream bandwidth towards customer didn't really show any significant
change but did hurt our edge buffers.
- 1000's of inbound NTP connections from random sources on the Internet to
a single device on customer network (with open NTP config).
- I didn't check outbound connections from the customer to the Internet.


Questions
What is this type of DDoS called?  I've heard a few different types
mentioned, amplification, reflection etc.
Is the the customer being individually targeted or just the expolitable NTP
server?
Are these caused by bots or manually by individuals?

I've included a snapshot of the downstream connections

Gi0/0         166.137.244.122 Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         108.168.210.64  Gi0/1         Customer-IP    11 007B 007B
8
Gi0/0         60.248.122.205  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         69.241.167.14   Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         207.235.188.201 Gi0/1         Customer-IP    11 007B 007B
38
Gi0/0         46.175.191.22   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         216.79.150.100  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         175.156.199.185 Gi0/1         Customer-IP    11 007B 007B
34
Gi0/0         74.216.232.230  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         218.63.59.203   Gi0/1         Customer-IP    11 007B 007B
8
Gi0/0         166.137.244.17  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         208.88.6.65     Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         208.68.168.106  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         119.97.145.164  Gi0/1         Customer-IP    11 007B 007B
9
Gi0/0         66.216.48.147   Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         218.63.59.202   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         63.113.48.99    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         166.137.244.21  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         77.48.46.166    Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         166.170.5.119   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         195.66.157.213  Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         166.170.5.118   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         81.177.19.157   Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         178.172.26.130  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         216.218.255.175 Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         188.43.3.140    Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         166.137.244.45  Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         93.190.88.10    Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         188.43.3.139    Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         107.77.66.95    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         171.25.249.145  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         61.195.150.43   Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         46.164.154.135  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         80.98.107.69    Gi0/1         Customer-IP    11 007B 007B
123
Gi0/0         46.164.154.132  Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         75.111.130.177  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         74.216.184.246  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         195.66.157.193  Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         188.228.20.225  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         166.137.244.54  Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         195.84.151.29   Gi0/1         Customer-IP    11 007B 007B
100
Gi0/0         208.64.202.4    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         217.150.56.173  Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         166.137.244.76  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         166.137.244.78  Gi0/1         Customer-IP    11 007B 007B
5
Gi0/0         94.92.86.27     Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         218.63.59.207   Gi0/1         Customer-IP    11 007B 007B
15
Gi0/0         177.105.63.251  Gi0/1         Customer-IP    11 007B 007B
10
Gi0/0         146.185.48.42   Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         85.255.192.38   Gi0/1         Customer-IP    11 007B 007B
96
Gi0/0         166.137.244.56  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         27.96.37.62     Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         59.34.148.20    Gi0/1         Customer-IP    11 007B 007B
9
Gi0/0         212.189.144.13  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         212.156.16.74   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         211.79.59.242   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         220.181.156.232 Gi0/1         Customer-IP    11 007B 007B
12
Gi0/0         91.121.121.33   Gi0/1         Customer-IP    11 007B 007B
210
Gi0/0         65.189.165.53   Gi0/1         Customer-IP    11 007B 007B
74
Gi0/0         190.112.224.10  Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         74.120.136.226  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         211.162.76.62   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         194.146.181.26  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         220.130.135.123 Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         147.102.206.20  Gi0/1         Customer-IP    11 007B 007B
8
Gi0/0         128.255.133.198 Gi0/1         Customer-IP    11 007B 007B
9
Gi0/0         212.189.144.210 Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         82.137.248.14   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         202.235.209.8   Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         94.104.252.250  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         91.121.137.92   Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         166.170.5.82    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         206.216.148.68  Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         212.13.216.77   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         203.144.189.19  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         202.235.209.11  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         80.237.159.52   Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         202.235.209.12  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         203.169.145.227 Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         82.80.196.220   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         202.216.248.125 Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         202.235.209.7   Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         81.223.20.195   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         218.19.141.6    Gi0/1         Customer-IP    11 007B 007B
5
Gi0/0         59.34.148.203   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         194.239.235.30  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         124.88.218.251  Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         166.170.5.61    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         211.153.33.206  Gi0/1         Customer-IP    11 007B 007B
7
Gi0/0         188.165.196.129 Gi0/1         Customer-IP    11 007B 007B
5
Gi0/0         82.204.10.10    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         194.177.211.26  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         67.53.230.179   Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         194.177.211.28  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         72.48.153.14    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         92.240.238.102  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         89.179.138.23   Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         89.215.168.185  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         89.111.180.112  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         194.183.224.3   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         194.183.224.4   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         74.40.23.48     Gi0/1         Customer-IP    11 007B 007B
6
Gi0/0         41.184.95.6     Gi0/1         Customer-IP    11 007B 007B
100
Gi0/0         221.186.106.36  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         217.13.197.157  Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         166.170.5.95    Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         188.165.212.180 Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         188.165.212.183 Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         152.66.0.80     Gi0/1         Customer-IP    11 007B 007B
37
Gi0/0         210.171.9.144   Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         91.203.193.21   Gi0/1         Customer-IP    11 007B 007B
6
Gi0/0         188.128.6.106   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         61.110.192.24   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         108.175.33.53   Gi0/1         Customer-IP    11 007B 007B
7
Gi0/0         69.76.73.83     Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         108.175.33.52   Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         61.110.192.26   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         194.25.128.187  Gi0/1         Customer-IP    11 007B 007B
16
Gi0/0         111.206.14.14   Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         184.154.79.106  Gi0/1         Customer-IP    11 007B 007B
7
Gi0/0         69.76.73.80     Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         108.175.33.55   Gi0/1         Customer-IP    11 007B 007B
9
Gi0/0         69.76.73.81     Gi0/1         Customer-IP    11 007B 007B
3
Gi0/0         112.215.81.170  Gi0/1         Customer-IP    11 007B 007B
100
Gi0/0         91.202.144.33   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         195.66.157.102  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         61.110.208.20   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         62.24.235.113   Gi0/1         Customer-IP    11 007B 007B
29
Gi0/0         218.26.233.1    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         212.189.144.158 Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         213.248.83.190  Gi0/1         Customer-IP    11 007B 007B
4
Gi0/0         212.189.144.157 Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         212.174.9.78    Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         108.175.33.63   Gi0/1         Customer-IP    11 007B 007B
2
Gi0/0         176.240.130.5   Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         1.224.187.11    Gi0/1         Customer-IP    11 007B 007B
21
Gi0/0         1.33.186.194    Gi0/1         Customer-IP    11 007B 007B
5
Gi0/0         118.41.203.198  Gi0/1         Customer-IP    11 007B 007B
78
Gi0/0         74.201.192.237  Gi0/1         Customer-IP    11 007B 007B
1
Gi0/0         117.130.254.53  Gi0/1         Customer-IP    11 007B 007B
2




On 12 February 2014 07:32, Alan Buxey <[email protected]> wrote:

> +1 yep. Use any of these NTP resources to find issues within your
> ASNs/remit . As network admins it's our duty/responsibility to look after
> each other and try to keep the Internet free of such 'filth' :)
>
> Alan
_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP DDoS

Reply via email to