[ntp:questions] Connection peaks

David L. Mills mills at udel.edu
Sat Feb 24 18:06:08 UTC 2007


independence,

You are apparently victim of a terrorist flooding attack. See 
http://www.eecis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf.

You might try enabling the kiss-o'-death (KoD) packet, but the terrorist 
probably will not respond. To find out who the varmits are, use the 
ntpdc monlist command. However, the apparent source of the flood is 
probably not the terrorist itself, more likely a distributed denial of 
service attack. It would be useful if you could send us the ntpd monlist 
results.

There are three schools of thought on this issue: 1) Behave as if 
nothing is wrong. The terrorist will lose interest. 2) Toss a KoD, 
presumably to tell the terrorist was detected and the FBI will swoop on 
the sender. 3) toss intentionally distorted time, presuably to tell the 
terrorist was detected and actively defended. The problem with 3) is 
that it might be hard to differentiate between the misguideds and 
outright terrorists.

Dave

independence wrote:
> I have some strange peaks in the number of connections to my machine.
> It's usually about a couple of hundred of connections, but a copule of
> times a day I get a few thousands of connections instead. The traffic
> seems to be directed to my NTP server. The ammount of traffic on the
> NTP port is only about 100kbit/s, but there are very many connections.
> I can have 10000 connections at the same time, which is kind of much.
> My machine didn't take it very yesterday and the round trip times
> rised to about 500ms so the time went a bit out of sync. Why are there
> so strong peaks in the number of connections? I'm in the SE pool, my
> server is on 80.252.175.45.
> 




More information about the questions mailing list