The recently publicized mechanism to leverage NTP servers for amplified DoS attacks is seriously effective. I had a friend who had a local ISP affected by this Thursday and also another case where just two asterisk servers saturated a 100mbps link to the point of unusability. Once more - this exploit is seriously effective at using bandwidth by reflection.
From a provider point of view, given the choices between contacting the end-users vs. mitigating the problem, if I were in TW position if I was unable to immediately contact the numerous downstream customers that were affected by this, I would take the option to block NTP on a case-by-case basis (perhaps even taking a broad brush) rather than allow it to continue and cause disruptions elsewhere. - Mike On Feb 2, 2014, at 12:44 PM, John Levine <jo...@iecc.com> wrote: > In article <20140202163313.gf24...@hijacked.us> you write: >> The provider has kindly acknowledged that there is an issue, and are >> working on a resolution. Heads up, it may be more than just my region. > > I'm a Time-Warner cable customer in the Syracuse region, and both of > the NTP servers on my home LAN are happily syncing with outside peers. > > My real servers are hosted in Ithaca, with T-W being one of the > upstreams and they're also OK. They were recruited into an NTP DDoS > last month (while I was at a meeting working on anti-DDoS best > practice, which was a little embarassing) but they're upgraded and > locked down now. > > R's, > John > > >
