[ntp:questions] NTP servers not accessible on some networks

William Unruh unruh at invalid.ca
Mon May 19 18:41:05 UTC 2014


On 2014-05-19, E-Mail Sent to this address will be added to the BlackLists <Null at BlackList.Anitech-Systems.invalid> wrote:
> Jochen Bern wrote:
>> GeoIP blocking
>
> More likely related to the "DRDOS" attempts of the last few months.
><http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using>

The problem was that ntpd responded to some requests for information by
sending out a packet which was hundreds of times longer than the
requesting packet length. Thus I could send a request with someone
else's return address, and that fake return address would get a packet
hundreds of times longer than the packet I sent out. If it were the same
of smaller, it would not pay for me to do this, since my own requesting
packet would be more efficient at overwhelming the remote system than
was going through a middle man. And ntpd had the option of replying to
such requests switched on by default. Thus, two solutions-- do not have
replying switched on by default, and switch it on only in special
circumstances or make sure that replies are always shorter than
requests. Or disallow all ntp requests (inclidng requests for time) at
the firewall. The latter is response of ISPs who do not have access to
your ntpd on your own computer.

>
>



More information about the questions mailing list