On Feb 12, 2014, at 11:07 PM, Richard Clayton <[email protected]> wrote:
> What is this type of DDoS called? An ntp reflection/amplification DDoS attack. > Is the the customer being individually targeted or just the expolitable NTP > server? It sounds as if these are ntpds which are misconfigured and allow level-6/-7 commands such as monlist to be issued, which produces a significant amplification. The attackers are spoofing the source IPs of their targets, and the ntpds 'reply' with unsolicited large, fragmented UDP ntp 'responses'. Check Jared's compendium for abusable ntpds on your netblocks and those of your customers: <http://www.openntpproject.org/> > Are these caused by bots or manually by individuals? Bots being driven by individuals (when we get to the point where the bots make their own targeting decisions for DDoS attacks, things will be interesting, indeed, heh). ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
