[ntp:questions] Thoughts on KOD

Magnus Danielson magnus at rubidium.dyndns.org
Mon Jul 7 15:34:24 UTC 2014

On 07/07/2014 04:10 PM, Danny Mayer wrote:
 > The experience with blocking has actually being negative and we have
> seen traffic actually INCREASE after it is blocked because the client,
> not having received a response, tries more often. This has been observed
> in the wild.

This might be true for proper NTP clients, but I wonder if this is true 
for faked NTP requests from DDOSers. KOD fills no purpose for DDOSers, 
so massive attacks is best handled by dropping that traffic, and 
possibly push the dropping away from the node and subnet running the 
server. For more modest overload scenarios as miss-configured or 
otherwise error-ed NTP clients, I believe that what you describe is correct.

Let's not confuse these different scenarios, as they most probably have 
different solutions. My point was that DDOS amplification/relaying 
should be considered, as we need that solved, while KOD refinements is 
maybe nice but addresses another problem.

I don't think you will be able to handle the DDOS issues without doing 
blocking, and you want that blocking to move away from your server in 
order to reduce the impact of the service.


More information about the questions mailing list