[ntp:questions] Thoughts on KOD

Rob nomail at example.com
Mon Jul 7 17:23:44 UTC 2014

Magnus Danielson <magnus at rubidium.dyndns.org> wrote:
> On 07/07/2014 04:10 PM, Danny Mayer wrote:
> > The experience with blocking has actually being negative and we have
>> seen traffic actually INCREASE after it is blocked because the client,
>> not having received a response, tries more often. This has been observed
>> in the wild.
> This might be true for proper NTP clients, but I wonder if this is true 
> for faked NTP requests from DDOSers. KOD fills no purpose for DDOSers, 

Those results were already obtained BEFORE the DDOS problem appeared.
Early experience in the NTP Pool was that some people run really broken
NTP clients (not ntpd but some quickly written Windows program or router
firmware code) that do bad things like:

- send their requests on the top of the hour or minute
- send requests at a high rate (e.g. once every 10-20 seconds)
- when a request does not result in a quick reply or the reply is
  not what the caller expects, quickly retry the request
- have no error counting whatsoever (e.g. when you don't reply, the
  same client is still requesting 3 weeks later at the same interval)

All those problems were not solved by sending KOD and some of them even
not by sending no reply at all.  In fact, some of those broken clients
re-try after 1-2 seconds when you don't reply, and when you do reply KOD
they immediately re-try.   When you reply with correct time they come
back after 15 seconds.  You pick your alternative.

More information about the questions mailing list