[ntp:questions] Re: Clogging defense

David L. Mills mills at udel.edu
Fri Nov 7 04:28:11 UTC 2003


I left out a wee detail spotted by Wolfgang Rupprecht and reported
privately. He noticed ntpdate works with tick.usno.navy.mil, in spite of
the fact that call gap is enabled. The ntpdate program as most know
sends a burst of packets as fast as it can and then does a half-baked
mitigation algorithm on the lot. From my last message, you would
conclude all but the first packet sent by ntpdate would be gapped and
come back KoD kiss code RATE. Well, turns out I made the call gap ignore
the first ten packets in a burst so ntpdate would still work, at least
for now. I intended that, when ntpdate has been replaced by a good SNTP
implementation that obeys the rules, this concession will be removed.

Okay, so I attempted to verify Wolfgang's report. I found the first
packet did get returned, but the suceeding three packets came back KoD,
so USNO has modified the algorithm. Great, now I'll do the same. The
ntpdate program does still work, but it will be limited to one packet

I'm not thrilled about the utility of KoD packets, as the offense rate
is about 80 packets per second and the KoD stream is rate-limited at one
packet per second. Thus, one packet in 80 will get a KoD and the
remainder get nothing. While this protects the server from a distributed
attack, it does diminishes the effective pushback. I see, however, that
every ntpdate packet got a response, so USNO may have turned that off.
Even if that was not the case, there is still a good chance that an
offender will get a KoD if the offense continues for awhile and, if
he/she follows the rules, the association will go catatonic.

Yeah, I know an evil person mounting a clog attack will laugh when a KoD
shows up, but hey, this technology is only in its infancy and the mind
readily conceives inspirationally crafty things like sending the perp IP
address to get his mail blocked.

Be advised in my cowardly design even KoD packets contain valid
timestamps, so if the perp ignored the invalid leap field and stratum, a
proper time/delay calculation would work. I have considered artfully
altering the time values so the perp can't do that. But then some
airplane crashes because of that and I get put in gaol or sued for my
pension. There may be some discussion on that. 


"David L. Mills" wrote:
> Folks,
> USNO has installed the call-gap clogging defense feature in the latest
> NTPv4 on all their public servers and reports it works well. Busy server
> tick.usno.navy.mil has been victim of 2000-PPS attack by dirty rotten
> scoundrels, which was why the feature was turned up. Just now it is
> running at 440 PPS with one packet in five discarded by call-gap. With
> the default parameters, a packet arriving less that one second after
> another from the same IP address is nixed and a Kiss-o'-Death (KoD)
> packet returned. However, KoD packets are rate limited to no more than
> one per second in the aggregate. KoD packets from call-gap can be
> recognized by a RATE kiss code. If anybody spots one of these, please
> honk.
> Dave

More information about the questions mailing list