On Feb 3, 2014, at 12:45 AM, Michael DeMan <na...@deman.com> wrote:

> The recently publicized mechanism to leverage NTP servers for amplified DoS 
> attacks is seriously effective.
> I had a friend who had a local ISP affected by this Thursday and also another 
> case where just two asterisk servers saturated a 100mbps link to the point of 
> unusability.
> Once more - this exploit is seriously effective at using bandwidth by 
> reflection.

The challenge I see is there's some hosts like this one:

[jared@nowherelikehome ]$ ntpq  -c rv 111.107.252.142
associd=0 status=06f4 leap_none, sync_ntp, 15 events, freq_mode,
version="ntpd 4.2.0-r Fri Jul 22 09:50:16 JST 2011 (1)",
processor="seil5", system="NetBSD/3.1_STABLE", leap=00, stratum=5,
precision=-18, rootdelay=9.138, rootdispersion=132.247, peer=58012,
refid=172.22.203.213,
reftime=d685a094.9c806290  Sun, Jan 19 2014  0:53:40.611, poll=10,
clock=d69a5d3c.c6b1a2a4  Mon, Feb  3 2014 18:23:56.776, state=4,
offset=-0.598, frequency=-1.463, jitter=0.229, stability=0.042

This host will happily generate 100GB response to a single packet.

They even have advisories posted:

http://www.seil.jp/support/security/a01411.html

Getting the information into the admin is hard.  Time zones, language barriers, 
folks understanding why having unmaintained NTP hosts out there can be a 
significant issue.  We found many ILO/IPMI interfaces that have NTP you can't 
do anything about (no filters, etc) - let alone patch .. 

Through ACL (hopefully not) or folks fixing hosts the following trend is 
observable in # of unique hosts that respond to NTP packets:

  1529866 2014-01-10
  1402569 2014-01-17
   803156 2014-01-24
   564027 2014-01-31

I will say that an awful lot of "firewall" operators out there seem to now be 
saying "NTP BAD" and generating panic'ed emails about NTP traffic.

- Jared




Reply via email to