[ntp:hackers] USNO Blast Attack -- vol 68 #3

Judah.Levine at colorado.edu Judah.Levine at colorado.edu
Thu Aug 19 15:02:29 UTC 2010


Hello, 
  I have seen similar "attacks" on the NIST servers. They seem to come and
go. I have tried to trace the source of these attacks, but I have not had
much success in doing this, mainly because most ISPs will not cooperate on
any finite time scale. 

  The NIST servers are already configured not to respond to these attacks,
which seems to me to be the best that you can do. Replying to them just
increases the network traffic, and anything more than ignoring the packet
seems to me to just use more processor cycles so that it makes the problem
worse. 

   The busiest NIST servers already handle about 6,000+ requests per second,
so that an "attack" of 1,000 packets per second will not cause a failure by
itself if there is only one of them. A number of these incidents come from
ip addresses with no DNS name, which is possibly an indication of the
problem. However, doing a reverse DNS lookup for every request is just not
feasible. 

   Although I cannot be sure about this, I think that the source of these
incidents is not anything like a standard version of NTP, so that using kiss
of death packets would be unlikely to do any good and would just add to the
network congestion. 

   Although I do not want to discuss the details in an open forum, I have
seen attacks on the NIST servers that are aimed at ports other than NTP.
Many of these attacks are so dumb and simple-minded that they are never
going to do any harm, and I hesitate to go after these folks because I worry
that they may mutate into more dangerous creatures, and it is safer for me
to let them continue to do something that just wastes their time. Because of
this, I don't see this as an NTP problem particularly -- it is more the
price for the way the network is currently configured. I don't know of
anything that the NTP community could do that would fix things, but I would
certainly welcome ideas. 

   In the longer term, the most useful strategy in dealing with these kinds
of problems is probably to get the cooperation of the ISPs to shut them down
at the source. Ideally, this would be some kind of dynamic system that would
not require manual configuration of the "bad guys" list. It would have to be
well upstream of the network or the NTP server, because it is too late at
that point. 

Judah Levine 
Time and Frequency Division 
NIST Boulder



More information about the hackers mailing list