[Pool] DDOS protection check?

Brian Rak brak at constant.com
Mon Feb 10 17:01:37 UTC 2014


On 2/10/2014 11:58 AM, Scott Baker wrote:
> On 02/10/2014 08:49 AM, Brian Rak wrote:
>> Your servers both look okay.  What did the email say?
> This is the email that came in this weekend. Not sure when it supposedly
> occurred though.
>
>> Dear Admin, The following IP address, 65.182.224.39, which is located
>> on your network has been actively exploited to launch launch a
>> distributed denial of service attack against one or more IP addresses
>> in the ranges of 108.170.21.34/29, and/or 184.164.158.160/29. The
>> attack was detected as NTP Amplification, and the CVE on the exploited
>> vulnerability can be found here:
>> http://www.cvedetails.com/cve/CVE-2013-5211/. Please patch, or notify
>> your customer to patch this vulnerability to help make the internet a
>> better place for us all. If you require any other information, such as
>> TCP Dump logs from the attack, please contact me at xnite at xnite.org
>> THIS EMAIL IS NOT ACTIVELY MONITORED, DO NOT REPLY TO THIS EMAIL!!.
I'd probably email them and ask for tcpdump logs.  What I suspect is the 
case is their machine is using the pool for NTP servers, then blindly 
sending out abuse reports when it sees NTP traffic.  If that's the case, 
the tcpdump output would be minimal.  If it's not, send us the tcpdump 
logs they provide.


More information about the pool mailing list