[ntp:questions] Re: ntp-cup (timeserver) is being attacked (I think)

mayer at gis.net mayer at gis.net
Tue Apr 26 19:16:30 UTC 2005


----- Original Message Follows -----
> Richard B. Gilbert wrote:
> 
> > The two ip addresses in question are both assigned to:
> >
> > OrgName:    FONE NET, LLC
> 
> We have been trying to contact them, but my point really was that the
> bulk of the problem was not these two "elephants" (egregious though
> they are) but rather the 4000 little guys who are polling every 5
> seconds.  I wonder who those little guys are?  No way am I going to
> track down 4000 of them.
> 
> I will follow the advice of David Mills and configure the "call gap"
> feature in NTPv4.  The threshold will probably have to be large (10 or
> 20 seconds) and there are going to be a lot of Kiss-o-Death packets
> issued.  The follow-up question will be:  How many of those clients
> actually cease and desist when they receive the KoD?  Probably not
> many.
> 

The chances are pretty good that none of these clients know what a KOD
packet is or what to do with it. That's the unfortunate part. It's
something that's essential to the NTP v4 protocol spec but that's not
yet even in draft form.

Danny



More information about the questions mailing list