Fwd: port 123 reflection attacks
Where does it say we need to contact home cert instead on your website ? verification of what ? HSOFT ranges have been compromised by NTP reflection attacks and the NTP servers hosted by HSOFT need to have a NTP update. This has been discussed on NANOG and I also sent information in Chinese to aid debug as well. Have had no response from HSOFT… Colin
Begin forwarded message:
From: "cncertcc" <cncert@cert.org.cn> Subject: Re:Fwd: port 123 reflection attacks Date: 30 December 2015 at 08:15:28 GMT To: "Colin Johnston" <colinj@gt86car.org.uk>
Greetings, Please forward the case to the corresponding CERT you are located in first to have it transferred to CNCERT after verification. Thanks for your understanding.
------------------
Thanks and Regards CNCERT/CC -------------------------------------------------------- 国家互联网应急中心 National Computer network Emergency Response technical Team / Coordination Center of China Tel:+8610-82991000 fax:+8610-82990375 email: cncert@cert.org.cn website:www.cert.org.cn Address: A3 Yumin Road, Chaoyang District, Beijing,100029, China --------------------------------------------------------
------------------ Original ------------------ From: "Colin Johnston"<colinj@gt86car.org.uk>; Date: Fri, Dec 25, 2015 07:31 PM To: "cncertcc"<cncert@cert.org.cn>; Cc: "Colin Johnston"<colinj@gt86car.org.uk>; Subject: Fwd: port 123 reflection attacks
Begin forwarded message:
From: Colin Johnston <colinj@gt86car.org.uk <mailto:colinj@gt86car.org.uk>> Subject: Fwd: port 123 reflection attacks Date: 25 December 2015 at 11:27:02 GMT To: oversea-support@cnnic.cn <mailto:oversea-support@cnnic.cn>, bdservice@cnnic.cn <mailto:bdservice@cnnic.cn> Cc: Colin Johnston <colinj@gt86car.org.uk <mailto:colinj@gt86car.org.uk>>
Can you investigate with priority please
Colin
Begin forwarded message:
From: Colin Johnston <colinj@gt86car.org.uk <mailto:colinj@gt86car.org.uk>> Subject: port 123 reflection attacks Date: 25 December 2015 at 11:19:26 GMT To: 16036260@qq.com <mailto:16036260@qq.com>, ipas@cnnic.cn <mailto:ipas@cnnic.cn> Cc: Colin Johnston <colinj@gt86car.org.uk <mailto:colinj@gt86car.org.uk>>
please stop the port 123 reflection attacks from 115.47.24.220
Colin
hi ya colin On 12/30/15 at 09:04am, Colin Johnston wrote:
Where does it say we need to contact home cert instead on your website ?
because cncert@cert.org.cn asked ?
verification of what ?
i'd want to see if it's a simple port scan by a script kidddie vs a more serious upcoming DOS attack from attackers with a "evil purpose" they might just be poking around to find vulnerable ntpd servers ? since there's been no satisfactory answer in 5 days, in the meantime, i'd suggest: - be sure ntpd is properly configured - be sure to be running the latest ( no known exploits ) ntpd server - ntpd servers should only be necessary for your servers ... and incoming connections from outside should never reach your ntpd - use an alternative ntpd server/source on a different wire
HSOFT ranges have been compromised by NTP reflection attacks
there's a difference between compromized vs port scanning ( probes ) - compromized... hsoft need to fix it ( upgrade and reconfigure ntpd ) - probes/scanners ... nothing much you can do other than limit your outgoing ( 123/udp) replies - there's thousands of probes occuring constantly on various ports ...
and the NTP servers hosted by HSOFT need to have a NTP update.
they better get going to update their ntpd and configs ... i'd rattle hsoft's cage harder ... :-)
This has been discussed on NANOG and I also sent information in Chinese to aid debug as well.
Have had no response from HSOFT…
:-) i wonder what else is occupying their time magic pixie dust alvin # DDoS-Simulator.net
From: "cncertcc" <cncert@cert.org.cn> Subject: Re:Fwd: port 123 reflection attacks Date: 30 December 2015 at 08:15:28 GMT To: "Colin Johnston" <colinj@gt86car.org.uk>
Greetings, Please forward the case to the corresponding CERT you are located in first to have it transferred to CNCERT after verification. Thanks for your understanding. ...
From: Colin Johnston <colinj@gt86car.org.uk <mailto:colinj@gt86car.org.uk>> Subject: port 123 reflection attacks Date: 25 December 2015 at 11:19:26 GMT To: 16036260@qq.com <mailto:16036260@qq.com>, ipas@cnnic.cn <mailto:ipas@cnnic.cn> Cc: Colin Johnston <colinj@gt86car.org.uk <mailto:colinj@gt86car.org.uk>>
please stop the port 123 reflection attacks from 115.47.24.220
- be sure ntpd is properly configured
to be explicit, test it % ntpdc -n -c monlist psg.com psg.com: timed out, nothing received ***Request timed out this is the desired result. any real response means the host is open to be a reflector fwiw, i got caught last week. a debien vm had been brought up using dhcp, and the /var/lib/ntp/ntp.conf.dhcp was still there after the host was reconfigured to static. took me a while to find it. embarrassing. my ntp.yml playbook now has as it's first task - name: remove dhcpd artifact file: path=/var/lib/ntp/ntp.conf.dhcp state=absent randy
participants (3)
-
alvin nanog
-
Colin Johnston
-
Randy Bush