[168700] in North American Network Operators' Group
Re: TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Feb 3 13:44:13 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <D553A35E-AF58-47D9-9A5B-A225616A6041@deman.com>
Date: Mon, 3 Feb 2014 13:39:10 -0500
To: Michael DeMan <nanog@deman.com>
Cc: John Levine <johnl@iecc.com>, nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 3, 2014, at 12:45 AM, Michael DeMan <nanog@deman.com> wrote:
> The recently publicized mechanism to leverage NTP servers for =
amplified DoS attacks is seriously effective.
> I had a friend who had a local ISP affected by this Thursday and also =
another case where just two asterisk servers saturated a 100mbps link to =
the point of unusability.
> Once more - this exploit is seriously effective at using bandwidth by =
reflection.
The challenge I see is there's some hosts like this one:
[jared@nowherelikehome ]$ ntpq -c rv 111.107.252.142
associd=3D0 status=3D06f4 leap_none, sync_ntp, 15 events, freq_mode,
version=3D"ntpd 4.2.0-r Fri Jul 22 09:50:16 JST 2011 (1)",
processor=3D"seil5", system=3D"NetBSD/3.1_STABLE", leap=3D00, stratum=3D5,=
precision=3D-18, rootdelay=3D9.138, rootdispersion=3D132.247, =
peer=3D58012,
refid=3D172.22.203.213,
reftime=3Dd685a094.9c806290 Sun, Jan 19 2014 0:53:40.611, poll=3D10,
clock=3Dd69a5d3c.c6b1a2a4 Mon, Feb 3 2014 18:23:56.776, state=3D4,
offset=3D-0.598, frequency=3D-1.463, jitter=3D0.229, stability=3D0.042
This host will happily generate 100GB response to a single packet.
They even have advisories posted:
http://www.seil.jp/support/security/a01411.html
Getting the information into the admin is hard. Time zones, language =
barriers, folks understanding why having unmaintained NTP hosts out =
there can be a significant issue. We found many ILO/IPMI interfaces =
that have NTP you can't do anything about (no filters, etc) - let alone =
patch ..=20
Through ACL (hopefully not) or folks fixing hosts the following trend is =
observable in # of unique hosts that respond to NTP packets:
1529866 2014-01-10
1402569 2014-01-17
803156 2014-01-24
564027 2014-01-31
I will say that an awful lot of "firewall" operators out there seem to =
now be saying "NTP BAD" and generating panic'ed emails about NTP =
traffic.
- Jared
