Re: [WISPA] be on the look out for this
http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 From: Gary Garrett Reply-To: WISPA General List Date: Saturday, January 18, 2014 at 9:43 PM To: WISPA General List Subject: Re: [WISPA] be on the look out for this > > > They spoofed one of my IP addresses and sent a NTP request to a time server > from the botnet with the destination port as 19, chargen which returns a pile > of random characters thereby amplifying the amount of packets. 4,000 > connections from every IP range you can imagine. > > > > > > On 1/18/2014 7:30 AM, Mike Hammett wrote: > > >> >> Were you the target or the "source"? >> >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> >> >> >> >> From: "Gary Garrett" <mailto:ggarr...@nidaho.net> >> To: "WISPA General List" <mailto:wireless@wispa.org> >> Sent: Saturday, January 18, 2014 2:39:21 AM >> Subject: Re: [WISPA] be on the look out for this >> >> >> We got hit by this. Real Bummer. 4,000 connections pounding ports 123 and 19 >> on one IP address. 30 meg sustained and 70 - 80 meg peaks. Took down the >> entire 100 meg fiber due to the massive packets per second. >> It is still ongoing but our upstream had to block it at the edge and is >> still eating the bandwidth. You can not block it yourself so get help right >> away. >> >> Why us? I think a gamer on our network pissed off some hacker in a chat >> room who had access to a botnet. >> You can rent a botnet for $200 a day if you can prove you are not the FBI. >> >> Gary >> >> >> >> >> On 1/17/2014 7:24 AM, Joe Miller wrote: >> >> >>> >>> >>> >>> We had a network outage yesterday afternoon, and thanks to Mike Francis at >>> JMF Solutions the problem went away. So, anyone who needs network helpI >>> would strongly recommend Mike Francis at JMF Solutions. >>> >>> >>> >>> Kudos to Mike Francis. >>> >>> >>> >>> http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 >>> >>> >>> >>> Joe Miller >>> >>> www.dslbyair.com <http://www.dslbyair.com> >>> >>> 228-831-8881 >>> >>> >>> >>> >>> >>> >>> ___ >>> Wireless mailing list >>> Wireless@wispa.orghttp://lists.wispa.org/mailman/listinfo/wireless >>> >> >> >> ___ >> Wireless mailing list >> Wireless@wispa.org >> http://lists.wispa.org/mailman/listinfo/wireless >> >> >> >> >> >> >> ___ >> Wireless mailing list >> Wireless@wispa.orghttp://lists.wispa.org/mailman/listinfo/wireless >> > > > ___ Wireless mailing list > Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
They spoofed one of my IP addresses and sent a NTP request to a time server from the botnet with the destination port as 19, chargen which returns a pile of random characters thereby amplifying the amount of packets. 4,000 connections from every IP range you can imagine. On 1/18/2014 7:30 AM, Mike Hammett wrote: Were you the target or the "source"? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com *From: *"Gary Garrett" *To: *"WISPA General List" *Sent: *Saturday, January 18, 2014 2:39:21 AM *Subject: *Re: [WISPA] be on the look out for this We got hit by this. Real Bummer. 4,000 connections pounding ports 123 and 19 on one IP address. 30 meg sustained and 70 - 80 meg peaks. Took down the entire 100 meg fiber due to the massive packets per second. It is still ongoing but our upstream had to block it at the edge and is still eating the bandwidth. You can not block it yourself so get help right away. Why us? I think a gamer on our network pissed off some hacker in a chat room who had access to a botnet. You can rent a botnet for $200 a day if you can prove you are not the FBI. Gary On 1/17/2014 7:24 AM, Joe Miller wrote: We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help...I would strongly recommend Mike Francis at JMF Solutions. Kudos to Mike Francis. http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 Joe Miller www.dslbyair.com 228-831-8881 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
Were you the target or the "source"? - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Gary Garrett" To: "WISPA General List" Sent: Saturday, January 18, 2014 2:39:21 AM Subject: Re: [WISPA] be on the look out for this We got hit by this. Real Bummer. 4,000 connections pounding ports 123 and 19 on one IP address. 30 meg sustained and 70 - 80 meg peaks. Took down the entire 100 meg fiber due to the massive packets per second. It is still ongoing but our upstream had to block it at the edge and is still eating the bandwidth. You can not block it yourself so get help right away. Why us? I think a gamer on our network pissed off some hacker in a chat room who had access to a botnet. You can rent a botnet for $200 a day if you can prove you are not the FBI. Gary On 1/17/2014 7:24 AM, Joe Miller wrote: We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help…I would strongly recommend Mike Francis at JMF Solutions. Kudos to Mike Francis. http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 Joe Miller www.dslbyair.com 228-831-8881 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
It is a lot cheaper then that... here is an old article of the first botnet herder going public on how it is done, and at $15. http://www.forbes.com/sites/eliseackerman/2012/05/19/i-run-a-small-botnet-and-sell-stolen-information-ask-me-anything/ On Sat, Jan 18, 2014 at 3:39 AM, Gary Garrett wrote: > We got hit by this. Real Bummer. 4,000 connections pounding ports 123 > and 19 on one IP address. 30 meg sustained and 70 - 80 meg peaks. Took > down the entire 100 meg fiber due to the massive packets per second. > It is still ongoing but our upstream had to block it at the edge and is > still eating the bandwidth. You can not block it yourself so get help right > away. > > Why us? I think a gamer on our network pissed off some hacker in a chat > room who had access to a botnet. > You can rent a botnet for $200 a day if you can prove you are not the FBI. > > Gary > > > > > On 1/17/2014 7:24 AM, Joe Miller wrote: > > We had a network outage yesterday afternoon, and thanks to Mike Francis > at JMF Solutions the problem went away. So, anyone who needs network help…I > would strongly recommend Mike Francis at JMF Solutions. > > > > Kudos to Mike Francis. > > > > http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 > > > > Joe Miller > > www.dslbyair.com > > 228-831-8881 > > > > > ___ > Wireless mailing > listWireless@wispa.orghttp://lists.wispa.org/mailman/listinfo/wireless > > > > ___ > Wireless mailing list > Wireless@wispa.org > http://lists.wispa.org/mailman/listinfo/wireless > > -- -- SCS Clay Stewart CEO, Tye River Farms, Inc., DBA Stewart Computer Services 434.263.6363 O 434.942.6510 C cstew...@stewartcomputerservices.com “We Keep You Up and Running” Wireless Broadband Programming Network Services ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
We got hit by this. Real Bummer. 4,000 connections pounding ports 123 and 19 on one IP address. 30 meg sustained and 70 - 80 meg peaks. Took down the entire 100 meg fiber due to the massive packets per second. It is still ongoing but our upstream had to block it at the edge and is still eating the bandwidth. You can not block it yourself so get help right away. Why us? I think a gamer on our network pissed off some hacker in a chat room who had access to a botnet. You can rent a botnet for $200 a day if you can prove you are not the FBI. Gary On 1/17/2014 7:24 AM, Joe Miller wrote: We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help...I would strongly recommend Mike Francis at JMF Solutions. Kudos to Mike Francis. http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 Joe Miller www.dslbyair.com 228-831-8881 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
On 01/17/2014 10:46 AM, Clay Stewart wrote: > I would assume using NTP servers that do not use Monlist which are?? > Newer than v4.2.7. Also, with a firewall, you can block the traffic coming INTO your network with (logic rules): chain: forward for routers, input for servers * permit established, related * permit local machines (desired) dst udp/123 toward your server * permit your server dst udp/123 to the outside world * drop other udp/123 The exact rules will depend on whether you are using mikrotik, linux, cisco or whatever and whether you are configuring a router that passes traffic or the server where the ntp service is running. -- Butch Evans 702-537-0979 Network Support and Engineering http://store.wispgear.net/ http://www.butchevans.com/ ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
Just asking as we have been having trouble with our internal NTP server knowing what day it is. Phil On Friday, January 17, 2014, Clay Stewart < cstew...@stewartcomputerservices.com> wrote: > Phil, it is a script which obtains IPs from NTP monitored data list. It is easily hackable. > See http://nmap.org/nsedoc/scripts/ntp-monlist.html > > > On Fri, Jan 17, 2014 at 11:53 AM, Phil Curnutt wrote: >> >> NPT servers that use Monlist? What's that about? >> >> Phil >> >> On Friday, January 17, 2014, Clay Stewart < cstew...@stewartcomputerservices.com> wrote: >> > I would assume using NTP servers that do not use Monlist which are?? >> > >> > On Fri, Jan 17, 2014 at 11:07 AM, CBB - Jay Fuller < par...@cyberbroadband.net> wrote: >> >> >> >> >> >> What was the solution? >> >> >> >> >> >> - Original Message - >> >> From: Joe Miller >> >> To: 'WISPA General List' >> >> Sent: Friday, January 17, 2014 9:24 AM >> >> Subject: [WISPA] be on the look out for this >> >> >> >> We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help…I would strongly recommend Mike Francis at JMF Solutions. >> >> >> >> >> >> >> >> Kudos to Mike Francis. >> >> >> >> >> >> >> >> http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 >> >> >> >> >> >> >> >> Joe Miller >> >> >> >> www.dslbyair.com >> >> >> >> 228-831-8881 >> >> >> >> >> >> >> >> >> >> >> >> ___ >> >> Wireless mailing list >> >> Wireless@wispa.org >> >> http://lists.wispa.org/mailman/listinfo/wireless >> >> >> >> ___ >> >> Wireless mailing list >> >> Wireless@wispa.org >> >> http://lists.wispa.org/mailman/listinfo/wireless >> >> >> > >> > >> > >> > -- >> > >> > >> > -- >> > SCS >> > Clay Stewart >> > CEO, Tye River Farms, Inc., >> > DBA Stewart Computer Services >> > 434.263.6363 O >> > 434.942.6510 C >> > cstew...@stewartcomputerservices.com >> > “We Keep You Up and Running” >> >Wireless Broadband >> >Programming >> > Network Services >> > >> ___ >> Wireless mailing list >> Wireless@wispa.org >> http://lists.wispa.org/mailman/listinfo/wireless >> > > > > -- > > > -- > SCS > Clay Stewart > CEO, Tye River Farms, Inc., > DBA Stewart Computer Services > 434.263.6363 O > 434.942.6510 C > cstew...@stewartcomputerservices.com > “We Keep You Up and Running” >Wireless Broadband >Programming > Network Services > ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
Phil, it is a script which obtains IPs from NTP monitored data list. It is easily hackable. See http://nmap.org/nsedoc/scripts/ntp-monlist.html On Fri, Jan 17, 2014 at 11:53 AM, Phil Curnutt wrote: > NPT servers that use Monlist? What's that about? > > Phil > > > On Friday, January 17, 2014, Clay Stewart < > cstew...@stewartcomputerservices.com> wrote: > > I would assume using NTP servers that do not use Monlist which are?? > > > > On Fri, Jan 17, 2014 at 11:07 AM, CBB - Jay Fuller < > par...@cyberbroadband.net> wrote: > >> > >> > >> What was the solution? > >> > >> > >> - Original Message - > >> From: Joe Miller > >> To: 'WISPA General List' > >> Sent: Friday, January 17, 2014 9:24 AM > >> Subject: [WISPA] be on the look out for this > >> > >> We had a network outage yesterday afternoon, and thanks to Mike Francis > at JMF Solutions the problem went away. So, anyone who needs network help…I > would strongly recommend Mike Francis at JMF Solutions. > >> > >> > >> > >> Kudos to Mike Francis. > >> > >> > >> > >> http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 > >> > >> > >> > >> Joe Miller > >> > >> www.dslbyair.com > >> > >> 228-831-8881 > >> > >> > >> > >> > >> > >> ___ > >> Wireless mailing list > >> Wireless@wispa.org > >> http://lists.wispa.org/mailman/listinfo/wireless > >> > >> ___ > >> Wireless mailing list > >> Wireless@wispa.org > >> http://lists.wispa.org/mailman/listinfo/wireless > >> > > > > > > > > -- > > > > > > -- > > SCS > > Clay Stewart > > CEO, Tye River Farms, Inc., > > DBA Stewart Computer Services > > 434.263.6363 O > > 434.942.6510 C > > cstew...@stewartcomputerservices.com > > “We Keep You Up and Running” > >Wireless Broadband > >Programming > > Network Services > > > > ___ > Wireless mailing list > Wireless@wispa.org > http://lists.wispa.org/mailman/listinfo/wireless > > -- -- SCS Clay Stewart CEO, Tye River Farms, Inc., DBA Stewart Computer Services 434.263.6363 O 434.942.6510 C cstew...@stewartcomputerservices.com “We Keep You Up and Running” Wireless Broadband Programming Network Services ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
NPT servers that use Monlist? What's that about? Phil On Friday, January 17, 2014, Clay Stewart < cstew...@stewartcomputerservices.com> wrote: > I would assume using NTP servers that do not use Monlist which are?? > > On Fri, Jan 17, 2014 at 11:07 AM, CBB - Jay Fuller < par...@cyberbroadband.net> wrote: >> >> >> What was the solution? >> >> >> - Original Message - >> From: Joe Miller >> To: 'WISPA General List' >> Sent: Friday, January 17, 2014 9:24 AM >> Subject: [WISPA] be on the look out for this >> >> We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help…I would strongly recommend Mike Francis at JMF Solutions. >> >> >> >> Kudos to Mike Francis. >> >> >> >> http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 >> >> >> >> Joe Miller >> >> www.dslbyair.com >> >> 228-831-8881 >> >> >> >> >> >> ___ >> Wireless mailing list >> Wireless@wispa.org >> http://lists.wispa.org/mailman/listinfo/wireless >> >> ___ >> Wireless mailing list >> Wireless@wispa.org >> http://lists.wispa.org/mailman/listinfo/wireless >> > > > > -- > > > -- > SCS > Clay Stewart > CEO, Tye River Farms, Inc., > DBA Stewart Computer Services > 434.263.6363 O > 434.942.6510 C > cstew...@stewartcomputerservices.com > “We Keep You Up and Running” >Wireless Broadband >Programming > Network Services > ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
I would assume using NTP servers that do not use Monlist which are?? On Fri, Jan 17, 2014 at 11:07 AM, CBB - Jay Fuller < par...@cyberbroadband.net> wrote: > > What was the solution? > > > - Original Message - > *From:* Joe Miller > *To:* 'WISPA General List' > *Sent:* Friday, January 17, 2014 9:24 AM > *Subject:* [WISPA] be on the look out for this > > We had a network outage yesterday afternoon, and thanks to Mike Francis > at JMF Solutions the problem went away. So, anyone who needs network help…I > would strongly recommend Mike Francis at JMF Solutions. > > > > Kudos to Mike Francis. > > > > http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 > > > > Joe Miller > > www.dslbyair.com > > 228-831-8881 > > > > -- > > ___ > Wireless mailing list > Wireless@wispa.org > http://lists.wispa.org/mailman/listinfo/wireless > > > ___ > Wireless mailing list > Wireless@wispa.org > http://lists.wispa.org/mailman/listinfo/wireless > > -- -- SCS Clay Stewart CEO, Tye River Farms, Inc., DBA Stewart Computer Services 434.263.6363 O 434.942.6510 C cstew...@stewartcomputerservices.com “We Keep You Up and Running” Wireless Broadband Programming Network Services ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] be on the look out for this
What was the solution? - Original Message - From: Joe Miller To: 'WISPA General List' Sent: Friday, January 17, 2014 9:24 AM Subject: [WISPA] be on the look out for this We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help.I would strongly recommend Mike Francis at JMF Solutions. Kudos to Mike Francis. http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 Joe Miller www.dslbyair.com 228-831-8881 -- ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
[WISPA] be on the look out for this
We had a network outage yesterday afternoon, and thanks to Mike Francis at JMF Solutions the problem went away. So, anyone who needs network help.I would strongly recommend Mike Francis at JMF Solutions. Kudos to Mike Francis. http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573 Joe Miller www.dslbyair.com 228-831-8881 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
