List of open NTP servers from http://openntpproject.org/ You can search by ASN, just replace 15169 in the url: http://openntpproject.org/searchby-asn.cgi?search_asn=15169
Regards, Matt -----Original Message----- From: uknof [mailto:[email protected]] On Behalf Of Thomas Mangin Sent: 12 February 2014 23:28 To: [email protected] Cc: [email protected] Subject: Re: [uknof] DNS/NTP <censured>, a solution ! Hi Robin, On 12 Feb 2014, at 23:07, Robin Williams <[email protected]> wrote: > Interesting timing - we've also been seeing a big increase in the same over > the last few weeks, mainly targeting schools from automated (& cheap!) > online 'booter' services (presumably instigated by students who have had > enough of their IT lessons). Same here, our DDOS were as well very short, 15ms hence why our focus was on reacting to abnormal flows quickly (enough to stop the course, not enough to piss of the ISP ?). We found a way to disable the relation between the school and the control machine, since then we had no more attack. As it seems that attack must be initiated from inside the school (at least from what we have seen/understood). > We've also been forced to script something similar to analyse flows each > minute and advertise blackholes upstream in an automated fashion in order to > react quicker. That's why open source is great, I hate when everyone is re-inventing the same wheel :-) > I found that the complexity (and the bit I imagine the paid mitigation > services spend a lot of their R&D on) is the 'analysis' part to reliably > detect. The trick we found is to detect when our upstream pass "abnormal" threshold and look at that time for the top speaker in terms of pps. Not perfect but as it still require someone here to "pull the trigger" it works pretty well. > I found it easy enough for some of the simple attacks hitting us though. > Our scripted version is very specific to the way we're set up so it wouldn't > really translate elsewhere, but I'll be interested to take a look through > your git repo. Alas, I'm no front-end/gui coder either :) Our "production" version written by Daniel is ahead of ExaBGP but then it is as well very specific. I intend to catch with him and have the noc team switch tool, but for the last days, I am told he added a feature I am still missing :p Perhaps I should force him to work on my code base :p I would be interested in sharing idea, but I guess it would be better to take the discussion off-list. > One thing I did think would be useful while I was doing this, was if there > was an 'open' online IP address reputation database (similar to a spam > reputation db) - I couldn't find one with a quick Google. No - I do not know of any neither, but IMHO we are always fighting the problem the wrong way : ISP knows their customers and should be able to detect outgoing DDOS, instead everyone is paying big money to stop INCOMING flows. The other day we detected that we were part of the problem and stopped the traffic, funnily we got a mail from the recipient of the attack who was very surprised when we told him that (a) we knew (b) it had been sorted the day before. I tried to push the same idea with spam a few years back (and even wrote some proof of concept code with ScavengerEXA) but got nowhere ... However I may be able to bring back some of the idea in ExaDDOS if the project get traction. > Seems to me it wouldn't take much for different providers all analysing flows > to come up with a fairly reliable list of sources for some of this > amplification attack traffic (provided the source isn't spoofed, which > normally amplified stuff wouldn't be). hum .. a list of open NTP servers ? > Having that list to use when determining whether a flow I'm analysing is a > DDoS (to use as a weighting amongst other factors) would help a lot, and > could maybe even be used to drop such traffic in the network based on source > rather than blackholing destinations upstream, provided the network could > take the hit (though getting into a bit of neutrality debate there I guess!) We do not blackhole the destination unless we have really no other choice as otherwise the attacker wins, hence why I like FlowSpec so much. Thomas Notifications and Disclaimer: This message is for its intended addressee only. It may contain information of a confidential nature which should not be disclosed. If you have received this message in error, please notify the sender and delete the message and all copies immediately. Any review, re-transmission, dissemination or other use of, or taking action in reliance upon, this message by persons or entities other than the intended recipient is prohibited. All attachments have been scanned for viruses. However MDNX cannot accept liability for any loss or damage you may incur as a result of virus infection. The views expressed are those of the author only and do not necessarily reflect the views of MDNX or any other person and MDNX does not accept liability for any statement or opinion expressed. Please consider the environment in any decision to print this email. Trading Disclosures: MDNX Enterprise Services Limited with company number 04287100 registered in England and Wales whose registered office is at St James House, Oldbury, Bracknell, Berkshire, RG12 8TH.
