[Pool] DDOS protection check?
brak at constant.com
Mon Feb 10 17:01:37 UTC 2014
On 2/10/2014 11:58 AM, Scott Baker wrote:
> On 02/10/2014 08:49 AM, Brian Rak wrote:
>> Your servers both look okay. What did the email say?
> This is the email that came in this weekend. Not sure when it supposedly
> occurred though.
>> Dear Admin, The following IP address, 22.214.171.124, which is located
>> on your network has been actively exploited to launch launch a
>> distributed denial of service attack against one or more IP addresses
>> in the ranges of 126.96.36.199/29, and/or 188.8.131.52/29. The
>> attack was detected as NTP Amplification, and the CVE on the exploited
>> vulnerability can be found here:
>> http://www.cvedetails.com/cve/CVE-2013-5211/. Please patch, or notify
>> your customer to patch this vulnerability to help make the internet a
>> better place for us all. If you require any other information, such as
>> TCP Dump logs from the attack, please contact me at xnite at xnite.org
>> THIS EMAIL IS NOT ACTIVELY MONITORED, DO NOT REPLY TO THIS EMAIL!!.
I'd probably email them and ask for tcpdump logs. What I suspect is the
case is their machine is using the pool for NTP servers, then blindly
sending out abuse reports when it sees NTP traffic. If that's the case,
the tcpdump output would be minimal. If it's not, send us the tcpdump
logs they provide.
More information about the pool