My gosh! NTP ddos attacks are coming like crazy lately. Y'all getting hit ?
I'm going to need to setup a bgp injection thingy with my upstream providers to signal a /32 for my victim(s) in my network so I can selective blackhole traffic in the cloud prior to it hitting my internet links..... this is getting really bad Aaron -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Richard Clayton Sent: Tuesday, February 11, 2014 3:36 PM To: Cisco NSPs Subject: [c-nsp] NTP DDoS Seems to be doing the rounds, had a fault open for a couple of days with a 100Mb Ethernet customer, reported fault was packet loss, Cacti showed an upstream flatline of 30Mb and an increase in downstream, as the circuit traffic had recently increased 1st line support presumed that the BT Wholesale circuit had an Etherflow bandwidth restriction so raised the fault which ping ponged back and forth until BT washed their hands of it (rightly so on this occasion) When it was escalated to me I noticed 'no buffer' and 'pause input' packet counters were going nuts on the LAN interface, the packet counters were 10k packets/sec, I enabled 'ip route-cache flow' on the WAN interface and there it was, 1000's of NTP connections. In summary the Cisco 1921 gave up at 30Mb/s with no buffer left, usually runs fine at 100Mb/s with no NAT config, customer had public IP on LAN switch for management and open NTP, LOL. Sledge _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
