Thanks, Sean and Bill, for the helpful links. The cloudflare.com article offers a link to SANS's ISC site with a very simple tip: just add "disable monitor" to your /etc/ntp.conf file. This works even with ntp-4.2.2p1 on RHEL 5, and is way easier than figuring if/how I can update to 4.2.7, or if Team Cymru's highly locked-down config for simple NTP clients will work OK for a 3 peer stratum 2 config like what I'm using.

Gilles

On 13/02/2014 11:29 PM, Sean Walberg wrote:

Some more technical details: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

There's a comment at the bottom to the effect of "there's an even worse problem hiding in SNMP"

Sean

On Wed, Feb 12, 2014 at 5:57 PM, Bill Reid <billreid@shaw.ca> wrote:

Here is an article on the attack.

http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787

On 12/02/14 08:17, John Lange wrote:

Does anyone know of a public site which documents the traffic associated with
the recent NTP DDOS attacks?

I'm trying to see if the attacks correlate to some packet loss we are seeing.

--
John Lange

_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable

_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable

--
Sean Walberg <sean@ertw.com> http://ertw.com/
_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable

-- 
Gilles R. Detillieux              E-mail: <grdetil@scrc.umanitoba.ca>
Spinal Cord Research Centre       WWW:    http://www.scrc.umanitoba.ca/
Dept. Physiology, U. of Manitoba  Winnipeg, MB  R3E 0J9  (Canada)