[ntp:questions] Possible new attack?

Harlan Stenn stenn at ntp.org
Tue Oct 7 00:37:38 UTC 2014

William Unruh writes:
> On 2014-10-06, Charles Swiger <cswiger at mac.com> wrote:
> > On Oct 6, 2014, at 11:36 AM, Evandro Menezes <aevandro at gmail.com> wrote:
> >> I've noticed a couple of NTP clients with the unusual avgint of 16s with h
> undreds of accesses to my NTP server in the pool.  I added a restriction, in 
> addition to the recommended ones already in place, to cope with the suspiciou
> s clients bumping the discard average threshold to 32s.  Eventually, KoD kick
> ed them out, but they returned again and again, but each time with a differen
> t source UDP port.  I'd think that were it the case of an improperly configur
> ed, though kosher, NTP client, it would not haunt the server again after a Ko
> D.  I suspect that it's the case of zombie systems running some sort of DoS b
> ot.  If so, is this the behavior of the recent DRDoS attack or a new attack o
> n NTP?
> >
> > Unfortunately, many of the minimal NTP/SNTP clients baked into the firmware
>  of phone switches, routers, and such are truly brain-dead and will not only 
> ignore KoD replies, some of them will even start polling at 1-second interval
> s.  You're better off firewalling off IPs which poll at abusive rates rather 
> than hoping that ntpd's restrict/KoD stuff will help.
> >
> Not only that but they are probably running ntp 3 systems, which does
> not have KOD.

It would be really nice to be able to identify what these are - if
somebody finds out please tell me.

> > You can try to contact the remote sites and ask them to fix their broken NT
> P clients, but expect lots of pushback.
> Or you could start sending back wildly inaccurate times. 

KOD packets send back the T1 timestamp they get as the T2 and T3
timestamps, along with other information that should clearly indicate to
any even partially conforming implementation that "something is wrong".


More information about the questions mailing list