[ntp:questions] Re: Question on abusive clients.

Brian T. Brunner brian.t.brunner at gai-tronics.com
Thu Dec 29 17:04:22 UTC 2005

After reading, I wondered: It appears that the timestamp field is 
present in the KoD packet, would it be possible to track which IP has 
been given the KoD, and the timestamp of when that was decided, 
then  when another packet comes in, fill the timestamp field with the 
time the KoD was decided?

Cost: 64 bits per system that has been KoD'd, a reply to each KoD packet.

Effect: system that has been KoD'd sees the time holding still, making
the server a false-ticker to that client almost instantly.

Assumption on my part: false-tickers get labeled as such by the client that 
has concluded the fact, then that client subsequently leaves that server alone.

Brian Brunner
brian.t.brunner at gai-tronics.com

>>> "Richard B. Gilbert" <rgilbert88 at comcast.net> 12/22/05 11:10PM >>>
David L. Mills wrote:

> David,
> There are copious examples of that happening right now on the NIST and 
> USNO servers. What would you suggest we do to stop it? See the paper
> Mills, D.L., J. Levine, R. Schmidt and D. Plonka. Coping with overload 
> on the Network Time Protocol public servers. Proc. Precision Time and 
> Time Interval (PTTI) Applications and Planning Meeting (Washington DC, 
> December 2004), 5-16.
> Full text is at www.eecis.udel.edu/~mills/papers.html.
> Dave
I read the referenced paper with great interest.  I noticed that little 
attention was paid to the idea of tracking down perpetrators and taking 
actions ranging from asking the perpetrator to cease and desist to 
asking the courts to intervene.  There was an exchange of messages on 
this newsgroup a few months ago on this topic.   A system administrator 
at HP's (formerly Digital's) Western Research Laboratory complained the 
his NTP server was being beaten up by clients sending requests at a rate 
of 1 PPS.  The clients appeared to all be served by a single ISP.   He 
was not interested in spending the small amount of time required to 
identify the IP addresses of the perpetrators and to ask the ISP to shut 
them down.  There was no reply to my suggestion that since this was a 
Denial of Service attack he should request assistance from his legal 

The reference implementation of ntpd contributes to the deluge in a 
small way!   Running a Motorola Oncore as a reference clock causes my 
home server to query its internet servers every 16 seconds.  It's 
nothing I would do by choice; they serve only as a sanity check on my 
Oncore reference clock   There does not appear to be any way of turning 
this feature off short of modifying the code.

questions mailing list
questions at lists.ntp.isc.org 

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

More information about the questions mailing list