port 123 reflection attacks

Mailman List Mirror (Read Only)
1

Where does it say we need to contact home cert instead on your website ?
verification of what ?
HSOFT ranges have been compromised by NTP reflection attacks and the NTP servers hosted by HSOFT need to have a NTP update.

This has been discussed on NANOG and I also sent information in Chinese to aid debug as well.

Have had no response from HSOFT…

Colin

2

hi ya colin

Where does it say we need to contact home cert instead on your website ?

because cncert@cert.org.cn asked ?

verification of what ?

i'd want to see if it's a simple port scan by a script kidddie vs
a more serious upcoming DOS attack from attackers with a "evil purpose"

they might just be poking around to find vulnerable ntpd servers ?

since there's been no satisfactory answer in 5 days,
in the meantime, i'd suggest:
- be sure ntpd is properly configured
- be sure to be running the latest ( no known exploits ) ntpd server
- ntpd servers should only be necessary for your servers ...
  and incoming connections from outside should never reach your ntpd
- use an alternative ntpd server/source on a different wire

HSOFT ranges have been compromised by NTP reflection attacks

there's a difference between compromized vs port scanning ( probes )

- compromized... hsoft need to fix it ( upgrade and reconfigure ntpd )

- probes/scanners ... nothing much you can do other than limit your
  outgoing ( 123/udp) replies

- there's thousands of probes occuring constantly on various ports ...

and the NTP servers hosted by HSOFT need to have a NTP update.

they better get going to update their ntpd and configs ...

i'd rattle hsoft's cage harder ... :slight_smile:

This has been discussed on NANOG and I also sent information in Chinese to aid debug as well.

Have had no response from HSOFT…

:slight_smile:

i wonder what else is occupying their time

magic pixie dust
alvin
# DDoS-Simulator.net

> From: "cncertcc" <cncert@cert.org.cn>
> Subject: Re:Fwd: port 123 reflection attacks
> Date: 30 December 2015 at 08:15:28 GMT
> To: "Colin Johnston" <colinj@gt86car.org.uk>
>
> Greetings,
> Please forward the case to the corresponding CERT you are located in first to have it transferred to CNCERT after verification. Thanks for your understanding.

...

3

- be sure ntpd is properly configured

to be explicit, test it

     % ntpdc -n -c monlist psg.com
     psg.com: timed out, nothing received
     ***Request timed out

this is the desired result. any real response means the host is open
to be a reflector

fwiw, i got caught last week. a debien vm had been brought up using
dhcp, and the /var/lib/ntp/ntp.conf.dhcp was still there after the host
was reconfigured to static. took me a while to find it. embarrassing.
my ntp.yml playbook now has as it's first task

    - name: remove dhcpd artifact
      file: path=/var/lib/ntp/ntp.conf.dhcp state=absent

randy