Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack

2016-12-21 Thread Alexander Lyamin 
I am just trying to grasp what is similarity between  networks on the list
and why it doesn't include, say NTT or Cogent.



On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me via NANOG <
nanog@nanog.org> wrote:

> Hello all, I'm a first time poster here and hope to follow all rules.
>
> I found a new way to amplify traffic that would generate really high
> volume of traffic.+10Tbps
>
> ** There is no need for spoofing ** so any device in the world could
> initiate a really big attack or be part of an attack.
>
> We talk about an amplification factor x100+. This mean that a single
> computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS.
> Imagine what a botnet could do?
>
> The list of affected business is huge and I would like to privately
> disclose the details to the Tier1 ISP as they are highly vulnerable.
>
> XO Comm
> PSINET
> Level 3
> Qwest
> Windstream Comm
> Eearthlink
> MCI Comm/Verizon Buss
> Comcast Cable Comm
> AT
> Sprint
>
> I know it's Christmas time and there is no rush in disclosing this but, it
> could be a nice opportunity to meditate and shed some lights on this new
> DDoS threat. We could start the real work in January.
>
>
> If you are curious and you operate/manage one of the network mentioned
> above, please write to me at tornad...@ddostest.me from your job email to
> confirm the identity. I will then forward you the DDoS details.
>
> Best regards
>
> Jean St-Laurent
> ddostest.me
> 365 boul. Sir-Wilfrid-Laurier #202
> Beloeil, QC J3G 4T2
>



-- 

Alexander Lyamin

CEO | Qrator * Labs*

office: 8-800--LAB (522)

mob: +7-916-9086122

skype: melanor9

mailto:  l...@qrator.net

Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack

2016-12-21 Thread Alexander Lyamin 
care to do a demo ?

On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me via NANOG <
nanog@nanog.org> wrote:

> Hello all, I'm a first time poster here and hope to follow all rules.
>
> I found a new way to amplify traffic that would generate really high
> volume of traffic.+10Tbps
>
> ** There is no need for spoofing ** so any device in the world could
> initiate a really big attack or be part of an attack.
>
> We talk about an amplification factor x100+. This mean that a single
> computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS.
> Imagine what a botnet could do?
>
> The list of affected business is huge and I would like to privately
> disclose the details to the Tier1 ISP as they are highly vulnerable.
>
> XO Comm
> PSINET
> Level 3
> Qwest
> Windstream Comm
> Eearthlink
> MCI Comm/Verizon Buss
> Comcast Cable Comm
> AT
> Sprint
>
> I know it's Christmas time and there is no rush in disclosing this but, it
> could be a nice opportunity to meditate and shed some lights on this new
> DDoS threat. We could start the real work in January.
>
>
> If you are curious and you operate/manage one of the network mentioned
> above, please write to me at tornad...@ddostest.me from your job email to
> confirm the identity. I will then forward you the DDoS details.
>
> Best regards
>
> Jean St-Laurent
> ddostest.me
> 365 boul. Sir-Wilfrid-Laurier #202
> Beloeil, QC J3G 4T2
>



-- 

Alexander Lyamin

CEO | Qrator * Labs*

office: 8-800--LAB (522)

mob: +7-916-9086122

skype: melanor9

mailto:  l...@qrator.net

Any WAVE Business clue on the list?

2016-12-21 Thread Mike Lyon 
If so, can you hit me up offlist?

Thank You,
Mike


-- 
Mike Lyon
408-621-4826
mike.l...@gmail.com

http://www.linkedin.com/in/mlyon

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Valdis . Kletnieks 
On Wed, 21 Dec 2016 21:54:42 -0500, Andrew Kirch said:
> I can't for the life of me see why we'd have to deal with it in the course
> of our jobs beyond calling someone and having them install more A/C.  This
> is, flat-out, off topic.

You don't have any fiber that runs into regen shacks in low-lying areas
that didn't *used* to flood, do you?

Ask Verizon how much fun they had getting salt water off underground copper
after Sandy.


pgp8NXHwpJb5W.pgp
Description: PGP signature

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Valdis . Kletnieks 
On Wed, 21 Dec 2016 19:49:41 -0500, Ken Chase said:

> "If it's a politically-generated thing I'll have to deal with at an
> operational level, it's on topic."

Hmm.. works for me.


pgp0FlidUAEkD.pgp
Description: PGP signature

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Royce Williams 
On Wed, Dec 21, 2016 at 8:03 PM, Jason Hellenthal
 wrote:
> Simply put… if the data that is hosted on the sites aforementioned then cough 
> up the damn space and host it. Data space is cheap as hell these days, parse 
> it and get the hell on with it already.
>
> *Disclaimer*
> not meant to single out any one party in this conversation but the whole 
> subject all together. Need someone to help mirror the data ? I may or may not 
> be able to assist with that. Provide the space to upload it to and the 
> direction to the data you want. But beyond all that. This subject is plainly 
> just off topic.

Jason, understood. I clearly should have updated the subject line of
the thread, as you're not the first to continue to respond to the
subject line, instead of what I've been recently saying. :) My most
recent reply was about some operational aspects of country-wide Signal
blocking, not the OP topic.

I would almost consider updating the subject accordingly ... but at
this point, it's clear that transcendence of the amygdala will
continue to elude us, and this thread would apparently rather die than
suffer my attempts to beat it into a plowshare. :)

Royce

>> On Dec 21, 2016, at 22:16, Royce Williams  wrote:
>>
>> On Tue, Dec 20, 2016 at 7:08 AM, Royce Williams  
>> wrote:
>>
>> [snip]
>>
>>> IMO, *operational, politics-free* discussion of items like these would
>>> also be on topic for NANOG:
>>>
>>> - Some *operational* workarounds for country-wide blocking of
>>> Facebook, Whatsapp, and Twitter [1], or Signal [2]
>>
>> [snip]
>>
>>> 2. 
>>> http://www.nytimes.com/aponline/2016/12/20/world/middleeast/ap-ml-egypt-app-blocked.html
>>
>> Steering things back towards the operational, the makers of Signal
>> announced today [1] an update to Signal with a workaround for the
>> blocking that I noted earlier. Support in iOS is still in beta.
>>
>> The technique (which was new to me) is called 'domain fronting' [2].
>> It works by distributing TLS-based components among domains for which
>> blocking would cause wide-sweeping collateral damage if blocked (such
>> as Google, Amazon S3, Akamai, etc.), making blocking less attractive.
>> Since it's TLS, the Signal connections cannot be differentiated from
>> other services in those domains.
>>
>> Signal's implementation of domain fronting is currently limited to
>> countries where the blocking has been observed, but their post says
>> that they're ramping up to make it available more broadly, and to
>> automatically enable the feature when non-local phone numbers travel
>> into areas subject to blocking.
>>
>> The cited domain-fronting paper [2] was co-authored by David Fifield,
>> who has worked on nmap and Tor.
>>
>> Royce
>>
>> 1. https://whispersystems.org/blog/doodles-stickers-censorship/
>> 2. http://www.icir.org/vern/papers/meek-PETS-2015.pdf

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Jason Hellenthal 
Simply put… if the data that is hosted on the sites aforementioned then cough 
up the damn space and host it. Data space is cheap as hell these days, parse it 
and get the hell on with it already.


*Disclaimer*
not meant to single out any one party in this conversation but the whole 
subject all together. Need someone to help mirror the data ? I may or may not 
be able to assist with that. Provide the space to upload it to and the 
direction to the data you want. But beyond all that. This subject is plainly 
just off topic.


> On Dec 21, 2016, at 22:16, Royce Williams  wrote:
> 
> On Tue, Dec 20, 2016 at 7:08 AM, Royce Williams  
> wrote:
> 
> [snip]
> 
>> IMO, *operational, politics-free* discussion of items like these would
>> also be on topic for NANOG:
>> 
>> - Some *operational* workarounds for country-wide blocking of
>> Facebook, Whatsapp, and Twitter [1], or Signal [2]
> 
> [snip]
> 
>> 2. 
>> http://www.nytimes.com/aponline/2016/12/20/world/middleeast/ap-ml-egypt-app-blocked.html
> 
> Steering things back towards the operational, the makers of Signal
> announced today [1] an update to Signal with a workaround for the
> blocking that I noted earlier. Support in iOS is still in beta.
> 
> The technique (which was new to me) is called 'domain fronting' [2].
> It works by distributing TLS-based components among domains for which
> blocking would cause wide-sweeping collateral damage if blocked (such
> as Google, Amazon S3, Akamai, etc.), making blocking less attractive.
> Since it's TLS, the Signal connections cannot be differentiated from
> other services in those domains.
> 
> Signal's implementation of domain fronting is currently limited to
> countries where the blocking has been observed, but their post says
> that they're ramping up to make it available more broadly, and to
> automatically enable the feature when non-local phone numbers travel
> into areas subject to blocking.
> 
> The cited domain-fronting paper [2] was co-authored by David Fifield,
> who has worked on nmap and Tor.
> 
> Royce
> 
> 1. https://whispersystems.org/blog/doodles-stickers-censorship/
> 2. http://www.icir.org/vern/papers/meek-PETS-2015.pdf


-- 
 Jason Hellenthal
 JJH48-ARIN

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Royce Williams 
On Tue, Dec 20, 2016 at 7:08 AM, Royce Williams  wrote:

[snip]

> IMO, *operational, politics-free* discussion of items like these would
> also be on topic for NANOG:
>
> - Some *operational* workarounds for country-wide blocking of
> Facebook, Whatsapp, and Twitter [1], or Signal [2]

[snip]

> 2. 
> http://www.nytimes.com/aponline/2016/12/20/world/middleeast/ap-ml-egypt-app-blocked.html

Steering things back towards the operational, the makers of Signal
announced today [1] an update to Signal with a workaround for the
blocking that I noted earlier. Support in iOS is still in beta.

The technique (which was new to me) is called 'domain fronting' [2].
It works by distributing TLS-based components among domains for which
blocking would cause wide-sweeping collateral damage if blocked (such
as Google, Amazon S3, Akamai, etc.), making blocking less attractive.
Since it's TLS, the Signal connections cannot be differentiated from
other services in those domains.

Signal's implementation of domain fronting is currently limited to
countries where the blocking has been observed, but their post says
that they're ramping up to make it available more broadly, and to
automatically enable the feature when non-local phone numbers travel
into areas subject to blocking.

The cited domain-fronting paper [2] was co-authored by David Fifield,
who has worked on nmap and Tor.

Royce

1. https://whispersystems.org/blog/doodles-stickers-censorship/
2. http://www.icir.org/vern/papers/meek-PETS-2015.pdf

Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack

2016-12-21 Thread Tom Beecher 
NTP Monlist was what, 200x? 100x amplification attacks are s 2013. :)

I doubt many will fall for your Rolodex expanding exercise though, sorry. (
Do people still have Rolodexes? )

On Wed, Dec 21, 2016 at 11:05 AM, Jean | ddostest.me via NANOG <
nanog@nanog.org> wrote:

> Hello all, I'm a first time poster here and hope to follow all rules.
>
> I found a new way to amplify traffic that would generate really high
> volume of traffic.+10Tbps
>
> ** There is no need for spoofing ** so any device in the world could
> initiate a really big attack or be part of an attack.
>
> We talk about an amplification factor x100+. This mean that a single
> computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS.
> Imagine what a botnet could do?
>
> The list of affected business is huge and I would like to privately
> disclose the details to the Tier1 ISP as they are highly vulnerable.
>
> XO Comm
> PSINET
> Level 3
> Qwest
> Windstream Comm
> Eearthlink
> MCI Comm/Verizon Buss
> Comcast Cable Comm
> AT
> Sprint
>
> I know it's Christmas time and there is no rush in disclosing this but, it
> could be a nice opportunity to meditate and shed some lights on this new
> DDoS threat. We could start the real work in January.
>
>
> If you are curious and you operate/manage one of the network mentioned
> above, please write to me at tornad...@ddostest.me from your job email to
> confirm the identity. I will then forward you the DDoS details.
>
> Best regards
>
> Jean St-Laurent
> ddostest.me
> 365 boul. Sir-Wilfrid-Laurier #202
> Beloeil, QC J3G 4T2
>

Re: replacing EPP?

2016-12-21 Thread John Levine 
In article 
 
you write:
>Has there been an discussion about  replacing EPP with something more modern?

No.  That was easy.  The spec has been updated a few times, most
recently by RFC 5730 and 5734 in 2009 but it hasn't changed much.

There is an active eppext working group in the IETF that spends most
of its time documenting and cleaning up EPP extensions that regstries
and registrars have been using all along but never got around to
writing up clearly.

A new protocol called RDAP is intended to replace WHOIS.  It's pretty
modern, blobs of JSON over http.  You can read all about it in RFC
7480 through 7484.  Some people want to use RDAP to check whether a
domain is available, but there's been a lot of pushback and advice
to use EPP, that's what it's for.

R's,
John

replacing EPP?

2016-12-21 Thread Ryan Finnesey 
Has there been an discussion about  replacing EPP with something more modern?

Cheers
Ryan

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Andrew Kirch 
I can't for the life of me see why we'd have to deal with it in the course
of our jobs beyond calling someone and having them install more A/C.  This
is, flat-out, off topic.

Andrew

On Wed, Dec 21, 2016 at 9:15 PM, Royce Williams 
wrote:

> On Wed, Dec 21, 2016 at 3:49 PM, Ken Chase  wrote:
> > On Wed, Dec 21, 2016 at 04:41:29PM -0800, Doug Barton said:
> >  [..]
> >   >>Everyone has a line at which "I don't care what's in the pipes, I
> just
> >   >>work here" changes into something more actionable.
> >   >
> >   >Stretched far beyond any credibility. Your argument boils down to,
> "If it's
> >   >a political thing that *I* like, it's on topic."
>
> I can see why you've concluded that. My final phrasing was indeed
> ambiguous. I would have hoped that the rest of my carefully
> non-partisan post would have offset that ambiguity.
>
> > "If it's a politically-generated thing I'll have to deal with at an
> > operational level, it's on topic."
> >
> > That work?
>
> That is indeed what I was trying to say - thanks, Ken.
>
> Royce
>

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Royce Williams 
On Wed, Dec 21, 2016 at 3:49 PM, Ken Chase  wrote:
> On Wed, Dec 21, 2016 at 04:41:29PM -0800, Doug Barton said:
>  [..]
>   >>Everyone has a line at which "I don't care what's in the pipes, I just
>   >>work here" changes into something more actionable.
>   >
>   >Stretched far beyond any credibility. Your argument boils down to, "If it's
>   >a political thing that *I* like, it's on topic."

I can see why you've concluded that. My final phrasing was indeed
ambiguous. I would have hoped that the rest of my carefully
non-partisan post would have offset that ambiguity.

> "If it's a politically-generated thing I'll have to deal with at an
> operational level, it's on topic."
>
> That work?

That is indeed what I was trying to say - thanks, Ken.

Royce

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Ken Chase 
On Wed, Dec 21, 2016 at 04:41:29PM -0800, Doug Barton said:
 [..]
  >>Everyone has a line at which "I don't care what's in the pipes, I just
  >>work here" changes into something more actionable.
  >
  >Stretched far beyond any credibility. Your argument boils down to, "If it's
  >a political thing that *I* like, it's on topic."

"If it's a politically-generated thing I'll have to deal with at an
operational level, it's on topic."

That work?

/kc
--
Ken Chase - m...@sizone.org

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-21 Thread Doug Barton 

On 12/20/2016 8:08 AM, Royce Williams wrote:

n Sat, Dec 17, 2016 at 6:15 PM, Doug Barton  wrote:

On 12/16/2016 1:48 PM, Hugo Slabbert wrote:


This started as a technical appeal, but:

https://www.nanog.org/list

1. Discussion will focus on Internet operational and technical issues as
described in the charter of NANOG.


Hard to see how the OP has anything to do with either of the above.


Actually, it's not that hard ... *if* we can control ourselves from
making them partisan, and focus instead on the operational aspects.
(Admittedly, that's pretty hard!)

The OP's query was a logical combination of two concepts:

- First, from the charter (emphasis mine): "NANOG provides a forum
where people from the network research community, the network operator
community and the network vendor community can come together *to
identify and solve the problems that arise in operating and growing
the Internet*."

- Second, from John Gilmore: "The Net interprets censorship as damage
and routes around it."


[snip]


Everyone has a line at which "I don't care what's in the pipes, I just
work here" changes into something more actionable.


Stretched far beyond any credibility. Your argument boils down to, "If 
it's a political thing that *I* like, it's on topic."

[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

2016-12-21 Thread Jean | ddostest.me via NANOG 

Hello all, I'm a first time poster here and hope to follow all rules.

I found a new way to amplify traffic that would generate really high 
volume of traffic.+10Tbps


** There is no need for spoofing ** so any device in the world could 
initiate a really big attack or be part of an attack.


We talk about an amplification factor x100+. This mean that a single 
computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. 
Imagine what a botnet could do?


The list of affected business is huge and I would like to privately 
disclose the details to the Tier1 ISP as they are highly vulnerable.


XO Comm
PSINET
Level 3
Qwest
Windstream Comm
Eearthlink
MCI Comm/Verizon Buss
Comcast Cable Comm
AT
Sprint

I know it's Christmas time and there is no rush in disclosing this but, 
it could be a nice opportunity to meditate and shed some lights on this 
new DDoS threat. We could start the real work in January.



If you are curious and you operate/manage one of the network mentioned 
above, please write to me at tornad...@ddostest.me from your job email 
to confirm the identity. I will then forward you the DDoS details.


Best regards

Jean St-Laurent
ddostest.me
365 boul. Sir-Wilfrid-Laurier #202
Beloeil, QC J3G 4T2

Re: Recent NTP pool traffic increase (update)

2016-12-21 Thread FUJIMURA Sho 
Hello.

I'm Sho FUJIMURA.
I operate the public NTP Services as 133.100.9.2 and 133.100.11.8.
I'd like to reduce the traffic because I have trouble with too much
traffic recently.
So, I'm interested in the root of the the problem.
If possible, would you please tell me the model numbers of Tenda and TP-Link??

-- 
Sho FUJIMURA
Information Technology Center, Fukuoka University.
8-19-1, Nanakuma, Jyonan-ku, Fukuoka, 8140180, Japan


2016-12-20 5:33 GMT+09:00 Denys Fedoryshchenko :
> I'm not sure if this issue relevant to discussed topic, Tenda routers here
> for a while on market, and i think i noticed this issue just now,
> because NTP servers they are using supposedly for healthcheck went down (or
> NTP owners blocked ISP's i support, due such routers).
>
> At least after checking numerous users, i believe Tenda hardcoded those NTP
> IPs. What worsen issue, that in Lebanon several times per day, for example
> at 18pm - short electricity cutoff,
> and majority of users routers will reboot and surely reconnect, so it will
> look like a countrywide spike in NTP traffic.
>
> I checked for a 10min also this NTP ips in dns responses, none of thousands
> of users tried to resolve any name with them over any DNS server, so i
> conclude they are hardcoded somewhere in firmware.
>
> Here is traffic of Tenda router after reconnecting (but not full powercycle,
> i dont have it in my hands). But as you can see, no DNS resolution attempts:
>
> 20:15:59.305739 PPPoE  [ses 0x1483] CHAP, Success (0x03), id 1, Msg S=XX
> M=Authentication succeeded
> 20:15:59.306100 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 1, length
> 12
> 20:15:59.317840 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 1, length
> 24
> 20:15:59.317841 PPPoE  [ses 0x1483] IPCP, Conf-Ack (0x02), id 1, length 12
> 20:15:59.317867 PPPoE  [ses 0x1483] IPCP, Conf-Nack (0x03), id 1, length 18
> 20:15:59.325253 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 2, length
> 24
> 20:15:59.325273 PPPoE  [ses 0x1483] IPCP, Conf-Ack (0x02), id 2, length 24
> 20:15:59.335589 PPPoE  [ses 0x1483] IP 172.17.49.245.123 > 133.100.9.2.123:
> NTPv3, Client, length 48
> 20:15:59.335588 PPPoE  [ses 0x1483] IP 172.17.49.245.123 > 192.5.41.41.123:
> NTPv3, Client, length 48
> 20:15:59.335588 PPPoE  [ses 0x1483] IP 172.17.49.245.123 > 192.5.41.40.123:
> NTPv3, Client, length 48
>
>
> Here is example of Tenda traffic if it is unable to reach destination, it
> repeats request each 10 seconds endlessly, my guess they are using ntp to
> show
> status of internet connection.
> So, now that NTP servers getting quite significant DDoS such way.
>
> 19:57:52.162863 IP (tos 0x0, ttl 64, id 38515, offset 0, flags [none], proto
> UDP (17), length 76)
> 172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length 48
> Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s),
> precision 0
> Root Delay: 0.00, Root dispersion: 0.00, Reference-ID:
> (unspec)
>   Reference Timestamp:  0.0
>   Originator Timestamp: 0.0
>   Receive Timestamp:0.0
>   Transmit Timestamp:   3691177063.0 (2016/12/19 22:57:43)
> Originator - Receive Timestamp:  0.0
> Originator - Transmit Timestamp: 3691177063.0
> (2016/12/19 22:57:43)
> 19:57:52.163277 IP (tos 0x0, ttl 64, id 38516, offset 0, flags [none], proto
> UDP (17), length 76)
> 172.16.31.67.123 > 192.5.41.41.123: [udp sum ok] NTPv3, length 48
> Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s),
> precision 0
> Root Delay: 0.00, Root dispersion: 0.00, Reference-ID:
> (unspec)
>   Reference Timestamp:  0.0
>   Originator Timestamp: 0.0
>   Receive Timestamp:0.0
>   Transmit Timestamp:   3691177063.0 (2016/12/19 22:57:43)
> Originator - Receive Timestamp:  0.0
> Originator - Transmit Timestamp: 3691177063.0
> (2016/12/19 22:57:43)
> 19:57:52.164435 IP (tos 0x0, ttl 64, id 38517, offset 0, flags [none], proto
> UDP (17), length 76)
> 172.16.31.67.123 > 133.100.9.2.123: [udp sum ok] NTPv3, length 48
> Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s),
> precision 0
> Root Delay: 0.00, Root dispersion: 0.00, Reference-ID:
> (unspec)
>   Reference Timestamp:  0.0
>   Originator Timestamp: 0.0
>   Receive Timestamp:0.0
>   Transmit Timestamp:   3691177063.0 (2016/12/19 22:57:43)
> Originator - Receive Timestamp:  0.0
> Originator - Transmit Timestamp: 3691177063.0
> (2016/12/19 22:57:43)
> 19:58:02.164781 IP (tos 0x0, ttl 64, id 38518, offset 0, flags [none], proto
> UDP (17), length 76)
> 172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length 48
> Client, Leap indicator:

Re: Recent NTP pool traffic increase (update)

2016-12-21 Thread Denys Fedoryshchenko 

Hello,

I'm not sure i should continue to CC nanog, if someone interested to be 
in CC for further updates this story please let me know.


TP-Link not related, it was misunderstanding or wrong customer report.

Tenda routers i believe most of cheap models are affected by this 
problem.
On ISPs i have access i see too many of them sending requests to 
133.100.9.2 (if it is unreachable, repeating each 10 seconds), this 
particular ip seems hardcoded there. I am sure as soon as your server is 
down, way they coded - it will make all this routers to ddos this 
particular ip, repeating NTP queries very often without any 
backoff/protection mechanism.
Particular model i tested - W308R / Wireless N300 Home Router, but i 
believe many models are affected.

Firmware: System Version: 5.0.7.53_en hw version : v1.0

Another possible vendor is LB-Link, but i dont have yet any info from 
customers who own them.


On 2016-12-21 11:00, FUJIMURA Sho wrote:

Hello.

I'm Sho FUJIMURA.
Thank you for your information.
I operate the public NTP Services as 133.100.9.2 and 133.100.11.8.
I'd like to reduce the traffic because I have trouble with too much
traffic recently.
So, I'm interested in the root of the the problem.
If possible, would you please tell me the model numbers of Tenda and
TP-Link??

--
Sho FUJIMURA
Information Technology Center, Fukuoka University.
8-19-1, Nanakuma, Jyonan-ku, Fukuoka, 8140180, Japan

fujim...@fukuoka-u.ac.jp

2016-12-20 5:33 GMT+09:00 Denys Fedoryshchenko :


I'm not sure if this issue relevant to discussed topic, Tenda
routers here for a while on market, and i think i noticed this issue
just now,
because NTP servers they are using supposedly for healthcheck went
down (or NTP owners blocked ISP's i support, due such routers).

At least after checking numerous users, i believe Tenda hardcoded
those NTP IPs. What worsen issue, that in Lebanon several times per
day, for example at 18pm - short electricity cutoff,
and majority of users routers will reboot and surely reconnect, so
it will look like a countrywide spike in NTP traffic.

I checked for a 10min also this NTP ips in dns responses, none of
thousands of users tried to resolve any name with them over any DNS
server, so i conclude they are hardcoded somewhere in firmware.

Here is traffic of Tenda router after reconnecting (but not full
powercycle, i dont have it in my hands). But as you can see, no DNS
resolution attempts:

20:15:59.305739 PPPoE  [ses 0x1483] CHAP, Success (0x03), id 1, Msg
S=XX M=Authentication succeeded
20:15:59.306100 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 1,
length 12
20:15:59.317840 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 1,
length 24
20:15:59.317841 PPPoE  [ses 0x1483] IPCP, Conf-Ack (0x02), id 1,
length 12
20:15:59.317867 PPPoE  [ses 0x1483] IPCP, Conf-Nack (0x03), id 1,
length 18
20:15:59.325253 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 2,
length 24
20:15:59.325273 PPPoE  [ses 0x1483] IPCP, Conf-Ack (0x02), id 2,
length 24
20:15:59.335589 PPPoE  [ses 0x1483] IP 172.17.49.245.123 >
133.100.9.2.123: NTPv3, Client, length 48
20:15:59.335588 PPPoE  [ses 0x1483] IP 172.17.49.245.123 >
192.5.41.41.123: NTPv3, Client, length 48
20:15:59.335588 PPPoE  [ses 0x1483] IP 172.17.49.245.123 >
192.5.41.40.123: NTPv3, Client, length 48

Here is example of Tenda traffic if it is unable to reach
destination, it repeats request each 10 seconds endlessly, my guess
they are using ntp to show
status of internet connection.
So, now that NTP servers getting quite significant DDoS such way.

19:57:52.162863 IP (tos 0x0, ttl 64, id 38515, offset 0, flags
[none], proto UDP (17), length 76)
172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length
48
Client, Leap indicator:  (0), Stratum 0 (unspecified), poll
0 (1s), precision 0
Root Delay: 0.00, Root dispersion: 0.00,
Reference-ID: (unspec)
Reference Timestamp:  0.0
Originator Timestamp: 0.0
Receive Timestamp:0.0
Transmit Timestamp:   3691177063.0 (2016/12/19
22:57:43)
Originator - Receive Timestamp:  0.0
Originator - Transmit Timestamp: 3691177063.0
(2016/12/19 22:57:43)
19:57:52.163277 IP (tos 0x0, ttl 64, id 38516, offset 0, flags
[none], proto UDP (17), length 76)
172.16.31.67.123 > 192.5.41.41.123: [udp sum ok] NTPv3, length
48
Client, Leap indicator:  (0), Stratum 0 (unspecified), poll
0 (1s), precision 0
Root Delay: 0.00, Root dispersion: 0.00,
Reference-ID: (unspec)
Reference Timestamp:  0.0
Originator Timestamp: 0.0
Receive Timestamp:0.0
Transmit Timestamp:   3691177063.0 (2016/12/19
22:57:43)
Originator - Receive Timestamp:  0.0
Originator - Transmit Timestamp: 3691177063.0
(2016/12/19 22:57:43)
19:57:52.164435 IP (tos 0x0, ttl 64, id 38517, offset 0, flags
[none], proto UDP (17), length 76)
172.16.31.67.123 > 133.100.9.2.123: [udp sum ok] NTPv3, length
48
Client, Leap indicator:  (0), Stratum 0