[ntp:questions] Connection peaks
David L. Mills
mills at udel.edu
Sat Feb 24 18:06:08 UTC 2007
You are apparently victim of a terrorist flooding attack. See
You might try enabling the kiss-o'-death (KoD) packet, but the terrorist
probably will not respond. To find out who the varmits are, use the
ntpdc monlist command. However, the apparent source of the flood is
probably not the terrorist itself, more likely a distributed denial of
service attack. It would be useful if you could send us the ntpd monlist
There are three schools of thought on this issue: 1) Behave as if
nothing is wrong. The terrorist will lose interest. 2) Toss a KoD,
presumably to tell the terrorist was detected and the FBI will swoop on
the sender. 3) toss intentionally distorted time, presuably to tell the
terrorist was detected and actively defended. The problem with 3) is
that it might be hard to differentiate between the misguideds and
> I have some strange peaks in the number of connections to my machine.
> It's usually about a couple of hundred of connections, but a copule of
> times a day I get a few thousands of connections instead. The traffic
> seems to be directed to my NTP server. The ammount of traffic on the
> NTP port is only about 100kbit/s, but there are very many connections.
> I can have 10000 connections at the same time, which is kind of much.
> My machine didn't take it very yesterday and the round trip times
> rised to about 500ms so the time went a bit out of sync. Why are there
> so strong peaks in the number of connections? I'm in the SE pool, my
> server is on 126.96.36.199.
More information about the questions