[ntp:hackers] [Fwd: NTP blast]
David Mills
mills at udel.edu
Thu Apr 8 17:02:01 UTC 2010
-------- Original Message --------
Subject: NTP blast
Date: Thu, 8 Apr 2010 12:12:02 -0400 (EDT)
From: Richard Schmidt <rich.schmidt at usno.navy.mil>
To: mills at UDel.Edu
Dave, could you post this for me, as my site hiding prevents me from
posting to hackers ntp list?
USNO NTP Flood.
Here are some details on an NTP flood that occurred on April 7 at USNO.
See plots at http://tycho.usno.navy.mil/ntpplot.html
Normally we peak at 13000 packets/sec. on the hour (SNTP) but at
2010 04 07 21:00 UT, we peaked at 15000, rising steadily to 24,000 packets per
second at 2010 04 07 21:59 UT
We transmitted back to all these packets, using three HP-UX rx2620 servers
as you can see from the ntptx.gif.
By the time I could fire up Wireshark and look for culprits, I only detected
three IPs hitting us at 1800 packets/sec. One was a Bell South DSL:
74.228.1112.211.
Last week we were hit for a few moments at the same levels, and again Wireshark
detected only a few abusers at about 1800 packets/sec.
The possibility exists that this is an exploratory DoS attack, given the
startup exactly on an hour, but we cannot rule out inadvertant defective DSL
routers in action.
Rich Schmidt
Time Service Dept.
US Naval Observatory
rich.schmidt at usno.navy.mil
--
* ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ *
~ Richard Schmidt Systems Engineering Branch ~
~ Time Service Department rich.schmidt at usno.navy.mil ~
~ U.S. Naval Observatory, Wash., DC 20392 (202)-762-1578; Fax 762-1511 ~
~ http://tycho.usno.navy.mil ~
* ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ *
--
* ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ *
~ Richard Schmidt Systems Engineering Branch ~
~ Time Service Department rich.schmidt at usno.navy.mil ~
~ U.S. Naval Observatory, Wash., DC 20392 (202)-762-1578; Fax 762-1511 ~
~ http://tycho.usno.navy.mil ~
* ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ *
More information about the hackers
mailing list