[ntp:questions] Re: Clogging defense

Ulrich Windl Ulrich.Windl at RZ.Uni-Regensburg.DE
Tue Nov 11 13:35:06 UTC 2003

"David L. Mills" <mills at udel.edu> writes:

> Folks,
> I left out a wee detail spotted by Wolfgang Rupprecht and reported
> privately. He noticed ntpdate works with tick.usno.navy.mil, in spite of
> the fact that call gap is enabled. The ntpdate program as most know
> sends a burst of packets as fast as it can and then does a half-baked
> mitigation algorithm on the lot. From my last message, you would
> conclude all but the first packet sent by ntpdate would be gapped and
> come back KoD kiss code RATE. Well, turns out I made the call gap ignore
> the first ten packets in a burst so ntpdate would still work, at least
> for now. I intended that, when ntpdate has been replaced by a good SNTP
> implementation that obeys the rules, this concession will be removed.
> Okay, so I attempted to verify Wolfgang's report. I found the first
> packet did get returned, but the suceeding three packets came back KoD,
> so USNO has modified the algorithm. Great, now I'll do the same. The


I'd allow three packets at least, just for what you call Byzantine I think...

> ntpdate program does still work, but it will be limited to one packet
> exchange.
> I'm not thrilled about the utility of KoD packets, as the offense rate
> is about 80 packets per second and the KoD stream is rate-limited at one
> packet per second. Thus, one packet in 80 will get a KoD and the

KoD is like saying "please don't shoot other people", but whether it's
effective is another question.

> remainder get nothing. While this protects the server from a distributed
> attack, it does diminishes the effective pushback. I see, however, that
> every ntpdate packet got a response, so USNO may have turned that off.
> Even if that was not the case, there is still a good chance that an
> offender will get a KoD if the offense continues for awhile and, if
> he/she follows the rules, the association will go catatonic.
> Yeah, I know an evil person mounting a clog attack will laugh when a KoD
> shows up, but hey, this technology is only in its infancy and the mind
> readily conceives inspirationally crafty things like sending the perp IP
> address to get his mail blocked.
> Be advised in my cowardly design even KoD packets contain valid
> timestamps, so if the perp ignored the invalid leap field and stratum, a
> proper time/delay calculation would work. I have considered artfully
> altering the time values so the perp can't do that. But then some
> airplane crashes because of that and I get put in gaol or sued for my
> pension. There may be some discussion on that. 

"eye by eye" is only effective if one party is stronger than the other
on the long term.  Imagine Mr. Arafat had F16 fighters, Apache
helicopters and Leopard tanks...



More information about the questions mailing list