Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Ongoing NTP Amplification Attacks - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ongoing NTP Amplification Attacks

Brett, who alerted us earlier this month regarding the mass exploit against Linksys devices has surfaced a current issue he's facing with ongoing NTP amplification attacks. A good US-CERT summary of the attack is here: https://www.us-cert.gov/ncas/alerts/TA14-013A. Brett indicates that:

"We are seeing massive attacks on our NTP servers, attempting to exploit the traffic amplification vulnerability reported last month. Our IPs are being probed by an address in the Netherlands, and a couple of them -- at which unpatched servers were discovered -- are being hit with about 3 million spoofed packets per hour. (We've since patched and firewalled the vulnerable servers, but the packets keep coming.) The spoofed packets are crafted so that they appear to be originating mostly from port 53 and 80, but occasionally have other port numbers such as 3074 (XBox) and 6667 (IRC). This is a very serious attack for us, and I'd appreciate some help in alerting folks to it."

He also sent along a 8 second packet capture that I've visualized as seen below.

NTP Amplification Attack

According to Brett, folks receiving similar traffic will see numerous "monitor" queries from spoofed source addresses and ports. His ISP is receiving roughly 3 million of these packets every hour, aimed at 3 IP addresses that belonged to FreeBSD servers that were vulnerable in their default configurations, servers that have now been patched and firewalled. He reminds us that even when The FreeBSD Project's patch has been applied, a vulnerable server will continue to respond to the queries with an equal number of rejection packets. While the patch eliminates the traffic amplification, the traffic is still echoed and its origin is further obscured.
Brett's ISP is are also seeing probes of their IPs looking for additional vulnerable servers originating from IP address 93.174.95.119 (NL), "which may be a server controlled by the person(s) behind the attack. The probes stand out because they are reported by tcpdump as being NTPv2, while most of the other traffic is NTPv3 or NTPv4. Level3 was apparently having congestion problems yesterday and today, and this may be why."

If readers are seeing similar traffic, please provide details in comments here.


 

 

 Russ McRee

179 Posts
ISC Handler
Reply Subscribe Feb 26th 2014
5 years ago
Somebody could make a quick buck right now by making a plug and play GPS-based / Wifi enabled NTP master device.

I tried using a Wifi-networked raspberry Pi for this at home, but the Pi OS wasn't stable enough, it kept crashing. A slightly beefier platform, maybe like the new Intel Galileo, would be needed.

NTP clients didn't have any problems with the slight latency and litter of a Wifi based server, it's a pretty beefy protocol (well, except for this monlist thing .. :-).
 Anonymous
Reply Quote Feb 26th 2014
5 years ago
Reader Timothy sent along a log sample and these notes:
"The Diary mentioned IP ADDRESS 93.174.95.119 (NL) so I opened up the filter on the IP slightly to get this report.
Will look at my other reports to see if any additional information available to isolate the sources.
Have not been getting the volume that others are seeing but am losing connection with the NTP servers in use for time."

date time Source_IP Source_Port____Target_IP____Target_Port
---------- -------- ------------- ---------------------------------------
2014-02-01 05:43:18 93.174.95.82 44069 70.130.xxx.xxx 8080
2014-02-01 05:45:05 93.174.95.82 44069 70.130.xxx.xxx 8080
2014-02-02 11:15:57 93.174.93.83 7671 70.130.xxx.xxx 80
2014-02-02 11:17:25 93.174.93.83 7671 70.130.xxx.xxx 80
2014-02-01 05:43:18 93.174.95.82 44069 70.130.xxx.xxx 8080
2014-02-01 05:45:05 93.174.95.82 44069 70.130.xxx.xxx 8080
2014-02-02 11:15:57 93.174.93.83 7671 70.130.xxx.xxx 80
2014-02-02 11:17:25 93.174.93.83 7671 70.130.xxx.xxx 80
2014-02-04 03:13:45 93.174.93.196 7678 70.130.xxx.xxx 53
2014-02-04 03:15:20 93.174.93.196 7678 70.130.xxx.xxx 53
2014-02-05 01:05:35 93.174.93.196 7671 70.130.xxx.xxx 80
2014-02-05 01:06:45 93.174.93.196 7671 70.130.xxx.xxx 80
2014-02-05 07:49:18 93.174.93.98 37933 70.130.xxx.xxx 19
2014-02-05 07:50:26 93.174.93.98 37933 70.130.xxx.xxx 19
2014-02-05 09:59:59 93.174.93.102 33239 70.130.xxx.xxx 19
2014-02-05 10:00:46 93.174.93.105 58647 70.130.xxx.xxx 19
2014-02-05 10:01:58 93.174.93.102 33239 70.130.xxx.xxx 19
2014-02-05 10:01:58 93.174.93.105 58647 70.130.xxx.xxx 19
2014-02-06 12:41:35 93.174.93.83 7678 70.130.xxx.xxx 53
2014-02-09 03:12:42 93.174.95.63 32998 70.130.xxx.xxx 3389
2014-02-09 03:14:06 93.174.95.63 32998 70.130.xxx.xxx 3389
2014-02-09 10:03:03 93.174.95.63 42935 70.130.xxx.xxx 5631
2014-02-09 10:04:48 93.174.95.63 42935 70.130.xxx.xxx 5631
2014-02-10 11:43:51 93.174.95.63 46184 70.130.xxx.xxx 3389
2014-02-10 11:45:10 93.174.95.63 46184 70.130.xxx.xxx 3389
2014-02-10 12:27:55 93.174.93.72 48112 70.130.xxx.xxx 53
2014-02-10 12:29:21 93.174.93.72 48112 70.130.xxx.xxx 53
2014-02-10 14:07:18 93.174.93.51 58575 70.130.xxx.xxx 63189
2014-02-10 14:08:46 93.174.93.51 58575 70.130.xxx.xxx 63189
2014-02-10 16:07:44 93.174.93.51 56148 70.130.xxx.xxx 63809
2014-02-10 16:09:16 93.174.93.51 56148 70.130.xxx.xxx 63809
2014-02-10 17:05:52 93.174.93.51 41384 70.130.xxx.xxx 36145
2014-02-10 17:07:30 93.174.93.51 41384 70.130.xxx.xxx 36145
2014-02-10 20:18:38 93.174.93.51 49889 70.130.xxx.xxx 80
2014-02-10 20:20:18 93.174.93.51 49889 70.130.xxx.xxx 80
2014-02-11 06:16:47 93.174.93.51 48273 70.130.xxx.xxx 559
2014-02-11 06:18:47 93.174.93.51 48273 70.130.xxx.xxx 559
2014-02-11 09:15:14 93.174.93.51 51417 70.130.xxx.xxx 35125
2014-02-11 09:16:31 93.174.93.51 51417 70.130.xxx.xxx 35125
2014-02-11 12:32:17 93.174.93.51 44649 70.130.xxx.xxx 443
2014-02-11 12:33:20 93.174.93.51 44649 70.130.xxx.xxx 443
2014-02-11 16:58:27 93.174.93.51 55190 70.130.xxx.xxx 8081
2014-02-11 17:00:26 93.174.93.51 55190 70.130.xxx.xxx 8081
2014-02-12 11:27:00 93.174.95.63 37721 70.130.xxx.xxx 5631
2014-02-12 11:28:01 93.174.95.63 37721 70.130.xxx.xxx 5631
2014-02-12 18:33:46 93.174.93.51 52259 70.130.xxx.xxx 4444
2014-02-12 19:38:06 93.174.93.51 42284 70.130.xxx.xxx 808
2014-02-12 19:40:03 93.174.93.51 42284 70.130.xxx.xxx 808
2014-02-12 21:28:26 93.174.93.51 59456 70.130.xxx.xxx 48358
2014-02-12 21:29:30 93.174.93.51 59456 70.130.xxx.xxx 48358
2014-02-13 01:16:45 93.174.93.51 35719 70.130.xxx.xxx 63000
2014-02-13 01:18:27 93.174.93.51 35719 70.130.xxx.xxx 63000
2014-02-13 02:07:02 93.174.93.51 45717 70.130.xxx.xxx 1560
2014-02-13 02:08:39 93.174.93.51 45717 70.130.xxx.xxx 1560
2014-02-13 05:14:15 93.174.93.51 48645 70.130.xxx.xxx 13067
2014-02-13 05:15:26 93.174.93.51 48645 70.130.xxx.xxx 13067
2014-02-13 08:23:15 93.174.93.51 44255 70.130.xxx.xxx 1080
2014-02-13 08:25:13 93.174.93.51 44255 70.130.xxx.xxx 1080
2014-02-13 10:01:46 93.174.93.51 43860 70.130.xxx.xxx 3128
2014-02-13 10:03:37 93.174.93.51 43860 70.130.xxx.xxx 3128
2014-02-13 12:37:07 93.174.93.51 56638 70.130.xxx.xxx 34253
2014-02-13 12:38:15 93.174.93.51 56638 70.130.xxx.xxx 34253
2014-02-13 13:54:13 93.174.93.51 41820 70.130.xxx.xxx 63809
2014-02-13 13:55:35 93.174.93.51 41820 70.130.xxx.xxx 63809
2014-02-13 16:40:31 93.174.93.51 44107 70.130.xxx.xxx 16535
2014-02-13 16:42:16 93.174.93.51 44107 70.130.xxx.xxx 16535
2014-02-13 19:27:04 93.174.93.51 55118 70.130.xxx.xxx 62617
2014-02-13 19:28:57 93.174.93.51 55118 70.130.xxx.xxx 62617
2014-02-13 20:33:34 93.174.93.51 60946 70.130.xxx.xxx 3128
2014-02-13 20:35:14 93.174.93.51 60946 70.130.xxx.xxx 3128
2014-02-13 23:46:58 93.174.93.51 49789 70.130.xxx.xxx 6588
2014-02-13 23:48:02 93.174.93.51 49789 70.130.xxx.xxx 6588
2014-02-14 02:29:48 93.174.93.51 41356 70.130.xxx.xxx 9723
2014-02-14 02:31:42 93.174.93.51 41356 70.130.xxx.xxx 9723
2014-02-14 03:03:38 93.174.95.63 41070 70.130.xxx.xxx 5631
2014-02-14 03:04:50 93.174.95.63 41070 70.130.xxx.xxx 5631
2014-02-14 03:33:21 93.174.93.51 55309 70.130.xxx.xxx 65506
2014-02-14 03:34:58 93.174.93.51 55309 70.130.xxx.xxx 65506
2014-02-14 07:15:09 93.174.93.51 44869 70.130.xxx.xxx 10098
2014-02-14 07:16:53 93.174.93.51 44869 70.130.xxx.xxx 10098
2014-02-14 07:44:43 93.174.95.63 41515 70.130.xxx.xxx 3389
2014-02-14 07:46:00 93.174.95.63 41515 70.130.xxx.xxx 3389
2014-02-14 09:29:25 93.174.93.51 47339 70.130.xxx.xxx 33705
2014-02-14 09:30:26 93.174.93.51 47339 70.130.xxx.xxx 33705
2014-02-14 12:25:44 93.174.93.51 55918 70.130.xxx.xxx 9000
2014-02-14 12:27:10 93.174.93.51 55918 70.130.xxx.xxx 9000
2014-02-14 13:25:52 93.174.93.51 49258 70.130.xxx.xxx 1027
2014-02-14 13:27:25 93.174.93.51 49258 70.130.xxx.xxx 1027
2014-02-14 13:58:56 93.174.95.63 38054 70.130.xxx.xxx 3389
2014-02-14 14:00:33 93.174.95.63 38054 70.130.xxx.xxx 3389
2014-02-14 18:21:40 93.174.93.51 51805 70.130.xxx.xxx 49277
2014-02-14 18:23:39 93.174.93.51 51805 70.130.xxx.xxx 49277
2014-02-14 22:40:46 93.174.93.51 55371 70.130.xxx.xxx 23
2014-02-14 22:42:43 93.174.93.51 55371 70.130.xxx.xxx 23
2014-02-15 07:52:11 93.174.93.51 57565 70.130.xxx.xxx 51074
2014-02-15 07:53:59 93.174.93.51 57565 70.130.xxx.xxx 51074
2014-02-15 09:40:44 93.174.93.51 52180 70.130.xxx.xxx 13903
2014-02-15 09:42:27 93.174.93.51 52180 70.130.xxx.xxx 13903
2014-02-15 12:37:49 93.174.93.51 58720 70.130.xxx.xxx 9999
2014-02-15 12:39:10 93.174.93.51 58720 70.130.xxx.xxx 9999
2014-02-15 14:34:41 93.174.93.51 52108 70.130.xxx.xxx 63808
2014-02-15 14:36:39 93.174.93.51 52108 70.130.xxx.xxx 63808
2014-02-15 17:26:52 93.174.93.51 60940 70.130.xxx.xxx 34042
2014-02-15 17:28:22 93.174.93.51 60940 70.130.xxx.xxx 34042
2014-02-15 19:33:23 93.174.93.51 37672 70.130.xxx.xxx 1028
2014-02-15 19:34:53 93.174.93.51 37672 70.130.xxx.xxx 1028
2014-02-15 21:27:25 93.174.93.51 41233 70.130.xxx.xxx 50749
2014-02-15 21:29:22 93.174.93.51 41233 70.130.xxx.xxx 50749
2014-02-16 01:14:18 93.174.93.51 34114 70.130.xxx.xxx 26840
2014-02-16 01:16:18 93.174.93.51 34114 70.130.xxx.xxx 26840
2014-02-16 05:29:00 93.174.93.51 34636 70.130.xxx.xxx 8080
2014-02-16 05:30:21 93.174.93.51 34636 70.130.xxx.xxx 8080
2014-02-16 11:57:39 93.174.93.51 35430 70.130.xxx.xxx 808
2014-02-16 11:58:58 93.174.93.51 35430 70.130.xxx.xxx 808
2014-02-16 12:45:39 93.174.93.51 54864 70.130.xxx.xxx 1029
2014-02-16 12:47:09 93.174.93.51 54864 70.130.xxx.xxx 1029
2014-02-16 17:19:43 93.174.93.51 34443 70.130.xxx.xxx 44681
2014-02-16 17:21:18 93.174.93.51 34443 70.130.xxx.xxx 44681
2014-02-16 17:47:49 93.174.93.51 54045 70.130.xxx.xxx 3382
2014-02-16 17:49:24 93.174.93.51 54045 70.130.xxx.xxx 3382
2014-02-16 19:57:33 93.174.93.51 39965 70.130.xxx.xxx 54989
2014-02-16 19:58:57 93.174.93.51 39965 70.130.xxx.xxx 54989
2014-02-16 23:14:07 93.174.93.51 36838 70.130.xxx.xxx 55285
2014-02-16 23:15:46 93.174.93.51 36838 70.130.xxx.xxx 55285
2014-02-17 02:54:14 93.174.93.51 30677 70.130.xxx.xxx 3128
2014-02-17 02:55:40 93.174.93.51 30677 70.130.xxx.xxx 3128
2014-02-17 08:48:36 93.174.93.51 58395 70.130.xxx.xxx 63787
2014-02-17 08:50:08 93.174.93.51 58395 70.130.xxx.xxx 63787
2014-02-17 12:23:50 93.174.93.51 59514 70.130.xxx.xxx 1813
2014-02-17 12:25:01 93.174.93.51 59514 70.130.xxx.xxx 1813
2014-02-17 15:12:14 93.174.93.51 55189 70.130.xxx.xxx 49863
2014-02-17 15:13:43 93.174.93.51 55189 70.130.xxx.xxx 49863
2014-02-17 18:33:08 93.174.93.51 53356 70.130.xxx.xxx 63764
2014-02-17 18:34:33 93.174.93.51 53356 70.130.xxx.xxx 63764
2014-02-17 21:39:10 93.174.93.51 45578 70.130.xxx.xxx 19086
2014-02-17 21:40:19 93.174.93.51 45578 70.130.xxx.xxx 19086
2014-02-17 22:31:42 93.174.95.119 44903 70.130.xxx.xxx 80
2014-02-17 22:33:32 93.174.95.119 44903 70.130.xxx.xxx 80
2014-02-17 23:25:18 93.174.93.51 44727 70.130.xxx.xxx 25958
2014-02-17 23:26:46 93.174.93.51 44727 70.130.xxx.xxx 25958
2014-02-18 01:47:57 93.174.93.51 35081 70.130.xxx.xxx 33759
2014-02-18 01:49:21 93.174.93.51 35081 70.130.xxx.xxx 33759
2014-02-18 07:29:41 93.174.93.51 54655 70.130.xxx.xxx 8080
2014-02-18 07:30:46 93.174.93.51 54655 70.130.xxx.xxx 8080
2014-02-18 10:48:35 93.174.93.51 58036 70.130.xxx.xxx 3802
2014-02-18 11:56:37 93.174.93.51 54307 70.130.xxx.xxx 5894
2014-02-18 11:57:52 93.174.93.51 54307 70.130.xxx.xxx 5894
2014-02-18 13:40:45 93.174.93.51 34893 70.130.xxx.xxx 5490
2014-02-18 13:42:18 93.174.93.51 34893 70.130.xxx.xxx 5490
2014-02-18 16:38:51 93.174.93.51 49672 70.130.xxx.xxx 18009
2014-02-18 16:40:02 93.174.93.51 49672 70.130.xxx.xxx 18009
2014-02-18 18:29:29 93.174.93.51 40879 70.130.xxx.xxx 16502
2014-02-18 21:48:58 93.174.93.51 50787 70.130.xxx.xxx 808
2014-02-18 21:50:19 93.174.93.51 50787 70.130.xxx.xxx 808
2014-02-19 00:19:52 93.174.93.51 30554 70.130.xxx.xxx 8000
2014-02-19 00:20:56 93.174.93.51 30554 70.130.xxx.xxx 8000
2014-02-19 02:52:34 93.174.93.51 59336 70.130.xxx.xxx 17094
2014-02-19 04:59:26 93.174.93.51 53837 70.130.xxx.xxx 3800
2014-02-19 05:01:06 93.174.93.51 53837 70.130.xxx.xxx 3800
2014-02-19 05:53:30 93.174.95.119 46981 70.130.xxx.xxx 110
2014-02-19 05:55:19 93.174.95.119 46981 70.130.xxx.xxx 110
2014-02-19 06:52:09 93.174.95.119 52826 70.130.xxx.xxx 143
2014-02-19 06:53:34 93.174.95.119 52826 70.130.xxx.xxx 143
2014-02-19 06:54:10 93.174.93.51 33188 70.130.xxx.xxx 44716
2014-02-19 06:55:34 93.174.93.51 33188 70.130.xxx.xxx 44716
2014-02-19 08:09:08 93.174.95.119 53893 70.130.xxx.xxx 7443
2014-02-19 08:10:53 93.174.95.119 53893 70.130.xxx.xxx 7443
2014-02-19 08:53:19 93.174.95.119 42345 70.130.xxx.xxx 8023
2014-02-19 08:55:04 93.174.95.119 42345 70.130.xxx.xxx 8023
2014-02-19 09:05:47 93.174.93.51 52147 70.130.xxx.xxx 11886
2014-02-19 09:07:07 93.174.93.51 52147 70.130.xxx.xxx 11886
2014-02-19 09:25:01 93.174.95.119 38319 70.130.xxx.xxx 7777
2014-02-19 09:26:12 93.174.95.119 38319 70.130.xxx.xxx 7777
2014-02-19 09:52:56 93.174.95.119 49755 70.130.xxx.xxx 7778
2014-02-19 09:54:19 93.174.95.119 49755 70.130.xxx.xxx 7778
2014-02-19 11:22:02 93.174.95.119 60872 70.130.xxx.xxx 80
2014-02-19 11:23:41 93.174.95.119 60872 70.130.xxx.xxx 80
2014-02-19 11:56:56 93.174.93.51 48433 70.130.xxx.xxx 3128
2014-02-19 11:58:50 93.174.93.51 48433 70.130.xxx.xxx 3128
2014-02-19 12:26:57 93.174.95.63 54306 70.130.xxx.xxx 3389
2014-02-19 12:28:57 93.174.95.63 54306 70.130.xxx.xxx 3389
2014-02-19 13:58:37 93.174.93.51 31620 70.130.xxx.xxx 10000
2014-02-19 14:00:20 93.174.93.51 31620 70.130.xxx.xxx 10000
2014-02-19 17:57:24 93.174.93.51 33827 70.130.xxx.xxx 34928
2014-02-19 17:59:19 93.174.93.51 33827 70.130.xxx.xxx 34928
2014-02-19 18:31:22 93.174.93.93 7678 70.130.xxx.xxx 53
2014-02-19 18:32:27 93.174.93.93 7678 70.130.xxx.xxx 53
2014-02-19 20:12:32 93.174.93.51 46691 70.130.xxx.xxx 2280
2014-02-19 20:13:52 93.174.93.51 46691 70.130.xxx.xxx 2280
2014-02-19 22:38:01 93.174.93.51 47297 70.130.xxx.xxx 50861
2014-02-19 22:39:29 93.174.93.51 47297 70.130.xxx.xxx 50861
2014-02-20 00:09:49 93.174.93.51 50098 70.130.xxx.xxx 4669
2014-02-20 00:10:51 93.174.93.51 50098 70.130.xxx.xxx 4669
2014-02-20 03:07:02 93.174.93.93 7671 70.130.xxx.xxx 80
2014-02-20 03:08:35 93.174.93.93 7671 70.130.xxx.xxx 80
2014-02-20 03:29:10 93.174.93.51 53346 70.130.xxx.xxx 9000
2014-02-20 03:30:41 93.174.93.51 53346 70.130.xxx.xxx 9000
2014-02-20 04:33:55 93.174.93.51 41579 70.130.xxx.xxx 1202
2014-02-20 04:34:57 93.174.93.51 41579 70.130.xxx.xxx 1202
2014-02-20 06:38:46 93.174.93.51 35322 70.130.xxx.xxx 23034
2014-02-20 06:40:28 93.174.93.51 35322 70.130.xxx.xxx 23034
2014-02-20 10:49:14 93.174.93.51 57162 70.130.xxx.xxx 10001
2014-02-20 10:50:30 93.174.93.51 57162 70.130.xxx.xxx 10001
2014-02-20 12:08:37 93.174.93.51 48655 70.130.xxx.xxx 8441
2014-02-20 12:09:49 93.174.93.51 48655 70.130.xxx.xxx 8441
2014-02-20 13:39:14 93.174.93.51 38182 70.130.xxx.xxx 35777
2014-02-20 13:41:12 93.174.93.51 38182 70.130.xxx.xxx 35777
2014-02-20 17:32:41 93.174.93.51 34724 70.130.xxx.xxx 8080
2014-02-20 17:34:10 93.174.93.51 34724 70.130.xxx.xxx 8080
2014-02-21 00:51:50 93.174.93.51 30332 70.130.xxx.xxx 17771
2014-02-21 00:52:59 93.174.93.51 30332 70.130.xxx.xxx 17771
2014-02-21 03:20:19 93.174.93.51 54708 70.130.xxx.xxx 58687
2014-02-21 03:21:36 93.174.93.51 54708 70.130.xxx.xxx 58687
2014-02-21 04:37:09 93.174.93.51 31716 70.130.xxx.xxx 35233
2014-02-21 04:38:55 93.174.93.51 31716 70.130.xxx.xxx 35233
2014-02-21 06:53:28 93.174.93.51 41366 70.130.xxx.xxx 53190
2014-02-21 07:59:07 93.174.93.51 47971 70.130.xxx.xxx 31931
2014-02-21 08:00:45 93.174.93.51 47971 70.130.xxx.xxx 31931
2014-02-21 11:19:24 93.174.93.51 30993 70.130.xxx.xxx 808
2014-02-21 11:20:35 93.174.93.51 30993 70.130.xxx.xxx 808
2014-02-21 13:12:06 93.174.93.51 44644 70.130.xxx.xxx 3332
2014-02-21 13:14:03 93.174.93.51 44644 70.130.xxx.xxx 3332
2014-02-21 16:01:37 93.174.93.51 48416 70.130.xxx.xxx 27165
2014-02-21 16:02:45 93.174.93.51 48416 70.130.xxx.xxx 27165
2014-02-21 17:35:29 93.174.93.51 33168 70.130.xxx.xxx 3127
2014-02-21 17:37:08 93.174.93.51 33168 70.130.xxx.xxx 3127
2014-02-21 20:13:47 93.174.93.51 57656 70.130.xxx.xxx 33212
2014-02-21 20:15:47 93.174.93.51 57656 70.130.xxx.xxx 33212
2014-02-21 21:57:02 93.174.93.51 56850 70.130.xxx.xxx 20958
2014-02-21 21:58:13 93.174.93.51 56850 70.130.xxx.xxx 20958
2014-02-22 00:19:31 93.174.93.51 55375 70.130.xxx.xxx 3128
2014-02-22 00:20:48 93.174.93.51 55375 70.130.xxx.xxx 3128
2014-02-22 02:38:18 93.174.95.60 41022 70.130.xxx.xxx 19
2014-02-22 02:39:23 93.174.95.60 41022 70.130.xxx.xxx 19
2014-02-22 02:47:18 93.174.93.51 30345 70.130.xxx.xxx 4471
2014-02-22 02:48:25 93.174.93.51 30345 70.130.xxx.xxx 4471
2014-02-22 04:53:22 93.174.93.93 7671 70.130.xxx.xxx 80
2014-02-22 04:54:56 93.174.93.93 7671 70.130.xxx.xxx 80
2014-02-22 05:03:18 93.174.93.51 46302 70.130.xxx.xxx 28901
2014-02-22 05:04:59 93.174.93.51 46302 70.130.xxx.xxx 28901
2014-02-22 07:46:22 93.174.95.63 40897 70.130.xxx.xxx 4899
2014-02-22 07:47:39 93.174.95.63 40897 70.130.xxx.xxx 4899
2014-02-22 08:49:31 93.174.93.51 34067 70.130.xxx.xxx 3330
2014-02-22 08:50:55 93.174.93.51 34067 70.130.xxx.xxx 3330
2014-02-22 10:12:00 93.174.93.51 54400 70.130.xxx.xxx 50695
2014-02-22 10:13:15 93.174.93.51 54400 70.130.xxx.xxx 50695
2014-02-22 14:03:17 93.174.93.51 31700 70.130.xxx.xxx 45584
2014-02-22 14:05:13 93.174.93.51 31700 70.130.xxx.xxx 45584
2014-02-22 17:21:23 93.174.93.51 31955 70.130.xxx.xxx 9000
2014-02-22 17:23:02 93.174.93.51 31955 70.130.xxx.xxx 9000
2014-02-22 18:59:34 93.174.93.51 51327 70.130.xxx.xxx 1979
2014-02-22 19:01:26 93.174.93.51 51327 70.130.xxx.xxx 1979
2014-02-23 00:34:49 93.174.93.51 36134 70.130.xxx.xxx 38994
2014-02-23 01:49:27 93.174.93.51 43034 70.130.xxx.xxx 21841
2014-02-23 01:51:08 93.174.93.51 43034 70.130.xxx.xxx 21841
2014-02-23 04:52:53 93.174.93.51 49514 70.130.xxx.xxx 61564
2014-02-23 12:18:11 93.174.93.51 53480 70.130.xxx.xxx 8080
2014-02-23 12:19:44 93.174.93.51 53480 70.130.xxx.xxx 8080
2014-02-23 14:03:10 93.174.93.51 56023 70.130.xxx.xxx 1337
2014-02-23 15:15:38 93.174.95.63 45383 70.130.xxx.xxx 5631
2014-02-23 15:17:28 93.174.95.63 45383 70.130.xxx.xxx 5631
2014-02-23 16:52:55 93.174.93.51 43426 70.130.xxx.xxx 48337
2014-02-23 16:54:52 93.174.93.51 43426 70.130.xxx.xxx 48337
2014-02-23 18:29:18 93.174.93.51 57858 70.130.xxx.xxx 35612
2014-02-23 18:31:16 93.174.93.51 57858 70.130.xxx.xxx 35612
2014-02-23 21:17:14 93.174.93.51 55733 70.130.xxx.xxx 16910
2014-02-23 21:18:58 93.174.93.51 55733 70.130.xxx.xxx 16910
2014-02-24 02:41:18 93.174.93.51 38416 70.130.xxx.xxx 49871
2014-02-24 04:23:57 93.174.93.51 56650 70.130.xxx.xxx 2613
2014-02-24 04:25:44 93.174.93.51 56650 70.130.xxx.xxx 2613
2014-02-24 05:20:14 93.174.93.93 7671 70.130.xxx.xxx 80
2014-02-24 05:21:58 93.174.93.93 7671 70.130.xxx.xxx 80
2014-02-24 08:02:47 93.174.93.51 38617 70.130.xxx.xxx 19991
2014-02-24 08:04:38 93.174.93.51 38617 70.130.xxx.xxx 19991
2014-02-24 09:44:16 93.174.93.51 53459 70.130.xxx.xxx 21645
2014-02-24 09:46:03 93.174.93.51 53459 70.130.xxx.xxx 21645
2014-02-24 10:46:24 93.174.93.51 55669 70.130.xxx.xxx 47973
2014-02-24 10:48:19 93.174.93.51 55669 70.130.xxx.xxx 47973
2014-02-24 13:18:43 93.174.93.51 39116 70.130.xxx.xxx 3128
2014-02-24 13:19:56 93.174.93.51 39116 70.130.xxx.xxx 3128
2014-02-24 17:02:34 93.174.93.51 46776 70.130.xxx.xxx 31121
2014-02-24 17:03:52 93.174.93.51 46776 70.130.xxx.xxx 31121
2014-02-24 18:52:42 93.174.93.51 41382 70.130.xxx.xxx 55479
2014-02-24 18:54:19 93.174.93.51 41382 70.130.xxx.xxx 55479
2014-02-24 21:13:34 93.174.93.51 51891 70.130.xxx.xxx 25
2014-02-24 21:14:54 93.174.93.51 51891 70.130.xxx.xxx 25
2014-02-25 02:02:36 93.174.93.51 51118 70.130.xxx.xxx 60556
2014-02-25 02:04:06 93.174.93.51 51118 70.130.xxx.xxx 60556
2014-02-25 04:37:18 93.174.93.51 53351 70.130.xxx.xxx 6005
2014-02-25 04:38:44 93.174.93.51 53351 70.130.xxx.xxx 6005
2014-02-25 06:27:57 93.174.93.51 32129 70.130.xxx.xxx 9000
2014-02-25 06:29:12 93.174.93.51 32129 70.130.xxx.xxx 9000
2014-02-25 08:53:39 93.174.93.51 51808 70.130.xxx.xxx 28882
2014-02-25 08:54:48 93.174.93.51 51808 70.130.xxx.xxx 28882
2014-02-25 12:32:42 93.174.93.51 44811 70.130.xxx.xxx 36727
2014-02-25 14:30:45 93.174.93.51 57345 70.130.xxx.xxx 2425
2014-02-25 14:32:11 93.174.93.51 57345 70.130.xxx.xxx 2425
2014-02-25 15:36:48 93.174.93.51 50327 70.130.xxx.xxx 28555
2014-02-25 15:38:28 93.174.93.51 50327 70.130.xxx.xxx 28555
2014-02-25 17:38:53 93.174.93.51 47588 70.130.xxx.xxx 50083
2014-02-25 17:39:58 93.174.93.51 47588 70.130.xxx.xxx 50083
2014-02-25 18:36:20 93.174.95.82 46300 70.130.xxx.xxx 25565
2014-02-25 18:38:13 93.174.95.82 46300 70.130.xxx.xxx 25565
2014-02-26 01:49:12 93.174.93.51 54322 70.130.xxx.xxx 8080
2014-02-26 01:51:00 93.174.93.51 54322 70.130.xxx.xxx 8080
2014-02-26 04:18:29 93.174.93.51 51767 70.130.xxx.xxx 53311
2014-02-26 04:19:37 93.174.93.51 51767 70.130.xxx.xxx 53311
2014-02-26 05:22:25 93.174.93.51 31700 70.130.xxx.xxx 39136
2014-02-26 05:23:53 93.174.93.51 31700 70.130.xxx.xxx 39136
 Russ McRee

179 Posts
ISC Handler
Reply Quote Feb 26th 2014
5 years ago
We, too, are seeing other attacks from Ecatel. For example, we just started getting probes of TCP Port 30022 on all of our IPs -- in random order -- from the IP address 93.174.93.51. They look like this:

17:24:30.608516 IP 93.174.93.51.49087 > 66.62.230.XXX.30022: Flags [S], seq 2783702063, win 65535, length 0

Since it appears that Ecatel is the source of many exploits (and probes for vulnerable systems), we've blocked their entire IP range, which includes 93.174.88.0/21.

--Brett
 BrettGlass

3 Posts
Reply Quote Feb 27th 2014
5 years ago
The listed 93.174.93.51 IP address appears to be hosted by Ecatel in the Netherlands, who appear to be known bad actors: http://bot24.blogspot.com/2012/07/anonymous-strikes-again-by-trying-to.html
 Spam

5 Posts
Reply Quote Feb 27th 2014
5 years ago
I'm using a trio of Raspberry Pis for NTP. Seems to be working well for me. What OS did you have stability issues with?
 Chris

6 Posts
Reply Quote Feb 27th 2014
5 years ago
Quoting our friends at WebSense, "Malicious Web Sites URL: http://93.174.93.51"
 CBob

21 Posts
Reply Quote Feb 27th 2014
5 years ago
Botnet NTP amplification attacks have continued from February into March, but now with a new twist. The original attacks used 8-byte packets, but we are now receiving some that use 12-byte packets - perhaps attempting to exploit a new variant of the original vulnerability.
 BrettGlass

3 Posts
Reply Quote Mar 11th 2014
5 years ago
We are still seeing these scans even now.
 BrettGlass
1 Posts
Reply Quote Jan 11th 2016
3 years ago

Sign Up for Free or Log In to start participating in the conversation!