[168667] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Michael DeMan)
Mon Feb 3 00:46:18 2014
From: Michael DeMan <nanog@deman.com>
In-Reply-To: <20140202204446.50900.qmail@joyce.lan>
Date: Sun, 2 Feb 2014 21:45:50 -0800
To: John Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The recently publicized mechanism to leverage NTP servers for amplified =
DoS attacks is seriously effective.
I had a friend who had a local ISP affected by this Thursday and also =
another case where just two asterisk servers saturated a 100mbps link to =
the point of unusability.
Once more - this exploit is seriously effective at using bandwidth by =
reflection.
=46rom a provider point of view, given the choices between contacting =
the end-users vs. mitigating the problem, if I were in TW position if I =
was unable to immediately contact the numerous downstream customers that =
were affected by this, I would take the option to block NTP on a =
case-by-case basis (perhaps even taking a broad brush) rather than allow =
it to continue and cause disruptions elsewhere.
- Mike
On Feb 2, 2014, at 12:44 PM, John Levine <johnl@iecc.com> wrote:
> In article <20140202163313.GF24634@hijacked.us> you write:
>> The provider has kindly acknowledged that there is an issue, and are
>> working on a resolution. Heads up, it may be more than just my =
region.
>=20
> I'm a Time-Warner cable customer in the Syracuse region, and both of
> the NTP servers on my home LAN are happily syncing with outside peers.
>=20
> My real servers are hosted in Ithaca, with T-W being one of the
> upstreams and they're also OK. They were recruited into an NTP DDoS
> last month (while I was at a meeting working on anti-DDoS best
> practice, which was a little embarassing) but they're upgraded and
> locked down now.
>=20
> R's,
> John
>=20
>=20
>=20
