Does anyone know of a public site which documents the traffic associated with the recent NTP DDOS attacks?
I'm trying to see if the attacks correlate to some packet loss we are seeing.
Here is an article on the attack.
http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hit...
On 12/02/14 08:17, John Lange wrote:
Does anyone know of a public site which documents the traffic associated with the recent NTP DDOS attacks?
I'm trying to see if the attacks correlate to some packet loss we are seeing.
-- John Lange
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Some more technical details: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplificat...
There's a comment at the bottom to the effect of "there's an even worse problem hiding in SNMP"
Sean
On Wed, Feb 12, 2014 at 5:57 PM, Bill Reid billreid@shaw.ca wrote:
Here is an article on the attack.
http://www.informationweek.com/security/attacks-and- breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787
On 12/02/14 08:17, John Lange wrote:
Does anyone know of a public site which documents the traffic associated with the recent NTP DDOS attacks?
I'm trying to see if the attacks correlate to some packet loss we are seeing.
-- John Lange
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Thanks, Sean and Bill, for the helpful links. The cloudflare.com article offers a link to SANS's ISC site with a very simple tip: just add "disable monitor" to your /etc/ntp.conf file. This works even with ntp-4.2.2p1 on RHEL 5, and is way easier than figuring if/how I can update to 4.2.7, or if Team Cymru's highly locked-down config for simple NTP clients will work OK for a 3 peer stratum 2 config like what I'm using.
Gilles
On 13/02/2014 11:29 PM, Sean Walberg wrote:
Some more technical details: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplificat...
There's a comment at the bottom to the effect of "there's an even worse problem hiding in SNMP"
Sean
On Wed, Feb 12, 2014 at 5:57 PM, Bill Reid <billreid@shaw.ca mailto:billreid@shaw.ca> wrote:
Here is an article on the attack. http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787 On 12/02/14 08:17, John Lange wrote: Does anyone know of a public site which documents the traffic associated with the recent NTP DDOS attacks? I'm trying to see if the attacks correlate to some packet loss we are seeing. -- John Lange _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca <mailto:Roundtable@muug.mb.ca> http://www.muug.mb.ca/mailman/listinfo/roundtable _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca <mailto:Roundtable@muug.mb.ca> http://www.muug.mb.ca/mailman/listinfo/roundtable-- Sean Walberg <sean@ertw.com mailto:sean@ertw.com> http://ertw.com/
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Here is a good link with technical details. Also a spreadsheet with the networks that had NTP servers involved in the attack.
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplificat...
On 12/02/14 08:17, John Lange wrote:
Does anyone know of a public site which documents the traffic associated with the recent NTP DDOS attacks?
-
Bill Reid -
Gilles Detillieux -
John Lange -
Sean Walberg