On Feb 3, 2014, at 12:45 AM, Michael DeMan <nanog@deman.com> wrote:
The recently publicized mechanism to leverage NTP servers for amplified DoS attacks is seriously effective. I had a friend who had a local ISP affected by this Thursday and also another case where just two asterisk servers saturated a 100mbps link to the point of unusability. Once more - this exploit is seriously effective at using bandwidth by reflection.
The challenge I see is there's some hosts like this one: [jared@nowherelikehome ]$ ntpq -c rv 111.107.252.142 associd=0 status=06f4 leap_none, sync_ntp, 15 events, freq_mode, version="ntpd 4.2.0-r Fri Jul 22 09:50:16 JST 2011 (1)", processor="seil5", system="NetBSD/3.1_STABLE", leap=00, stratum=5, precision=-18, rootdelay=9.138, rootdispersion=132.247, peer=58012, refid=172.22.203.213, reftime=d685a094.9c806290 Sun, Jan 19 2014 0:53:40.611, poll=10, clock=d69a5d3c.c6b1a2a4 Mon, Feb 3 2014 18:23:56.776, state=4, offset=-0.598, frequency=-1.463, jitter=0.229, stability=0.042 This host will happily generate 100GB response to a single packet. They even have advisories posted: http://www.seil.jp/support/security/a01411.html Getting the information into the admin is hard. Time zones, language barriers, folks understanding why having unmaintained NTP hosts out there can be a significant issue. We found many ILO/IPMI interfaces that have NTP you can't do anything about (no filters, etc) - let alone patch .. Through ACL (hopefully not) or folks fixing hosts the following trend is observable in # of unique hosts that respond to NTP packets: 1529866 2014-01-10 1402569 2014-01-17 803156 2014-01-24 564027 2014-01-31 I will say that an awful lot of "firewall" operators out there seem to now be saying "NTP BAD" and generating panic'ed emails about NTP traffic. - Jared