[ntp:questions] Bounce attack via pool server

Rob nomail at example.com
Mon Dec 23 14:16:04 UTC 2013

Jure Sah <dustwolfy at gmail.com> wrote:
> Hello,
> I am an administrator of a public NTP server joined to "pool.ntp.org".
> Our server has recently been an unwilling party to a NTP UDP based
> bounce attack and have received the report attached below.
> I would like to continue offering my server in the pool, but I would
> also like to secure my server configuration to prevent such attacks in
> the future. I am unsure as to what exactly to do, as some of what is
> suggested below (for example, turning off UDP support on the time
> server) would most likely result in problems for pool users, if not
> invalidate my NTP server for use in the pool altogether. I would like
> my server to still be as useful as possible for everybody.
> I am using ntpd version 4.2.6p3. I have searched trough the
> www.pool.ntp.org website on the subject and could not find any general
> recommendation for a secure setup, however I might not have been
> looking in the right places.
> Could anyone please help?
> LP,
> Jure
> - --------------- attack report:
> Date: 2013/12/23
> You are running a public, high-numbered-stratum NTP server that
> participated a very large-scale attack against a customer of ours this
> morning, generating UDP responses to spoofed requests with bogus
> timestamps that claimed to be from the attack target.

The sender of this report does not really have a clue.

However, you should investigate if your server is or has been running
unsynchronized.  If it is, it does not belong in the pool.

If not, maybe it temporarily went unsynchronized due to the heavy
network traffic because of the attack?
Hopefully you keep enough logging and monitoring info to check this.

Reflection attacks should not really be possible when you change
the config as mentioned in the other posting.

More information about the questions mailing list