Vulnerability on Global Internet Exchange Data Centres

DNS, NTP, SSDP DoS attacks no longer need to be distributed with botnets

I have devised a state for a vulnerability to be exploited in a data centre within a Global Internet Exchange to provide vast bandwidth to DNS, NTP & SSDP servers to create the DoS attacks


Many of the Global Internet Exchanges (IE) offer high bandwidth edge/centre data centre services from within the IE.

Arbor Networks build custom software to mitigate the DDoS type attacks from the perimeter of the networks. Arbor Networks run their software on Cisco ASR 9000 series aggregation services routers.

These routers are designed to prevent DDoSes from affecting the websites running on the servers behind the routers.


Can a Cisco ASR 9922 aggregation services router run Arbor Networks software mitigate a DNS, NTP & SSDP amplification for DoS originated from one or a few servers based on IEs?

It is an interesting concept to see how much data you could create from four servers with 100 Gbps ports within the LINX data centre in Telehouse.

Telehouse in London is based on Juniper & Extreme Networks hardware.

There are DDoS mitigation systems throughout the network; however, I am under the impression this is for protecting services within LINX from external communications poses a threat to the services.

I am questing whether any of the IE Point of Presences (PoP) run an equivalent to the Arbor Networks DDoS mitigation software internally.


Excessive connections DNS, NTP & SSDP servers should be monitored to prevent a massive DoS - I am writing DoS (Denial of Service) attack, rather than DDoS (Distributed Denial of Service) attack because this could be one person using DNS, NTP & SSDP amplification.


I would like to find out more, particularly from LINX. I would also like to find out from CloudFlare if this is something that could be achieved within their data centres.

I wonder if multiple servers with mixed with the traffic of DNS, NTP & SSDP amplification along with normal web hosted traffic (could be part of the DoS) would pass under the radar for mitigation services on the Layer 7 managed switches & Layer 7 routers.


If anyone that can prove their knowledge, feel free to tweet me or comment below.