[ntp:questions] Connection peaks
independence at blinkenlights.se
Sat Feb 24 19:16:42 UTC 2007
On Feb 24, 7:06 pm, "David L. Mills" <m... at udel.edu> wrote:
> You are apparently victim of a terrorist flooding attack. Seehttp://www.eecis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf.
> You might try enabling the kiss-o'-death (KoD) packet, but the terrorist
> probably will not respond. To find out who the varmits are, use the
> ntpdc monlist command. However, the apparent source of the flood is
> probably not the terrorist itself, more likely a distributed denial of
> service attack. It would be useful if you could send us the ntpd monlist
> There are three schools of thought on this issue: 1) Behave as if
> nothing is wrong. The terrorist will lose interest. 2) Toss a KoD,
> presumably to tell the terrorist was detected and the FBI will swoop on
> the sender. 3) toss intentionally distorted time, presuably to tell the
> terrorist was detected and actively defended. The problem with 3) is
> that it might be hard to differentiate between the misguideds and
> outright terrorists.
First of all, I'm a bit concerned with your use of the word
"terrorist". Here is a definition: One who utilizes the systematic use
of violence and intimidation to achieve political objectives, while
disguised as a civilian non-combatant.
Someone who uses DoS or DDoS attacks are not a terrorist.
The floods seems to come from an ISP in Turkey named TurkTelecom, many
of their clients try to syncronize with my server in very intense
I've also noticed in monlist that most clients have sent like 5
packets, but some have sent about 50000 packets. Why is this?
The peaks lasts for about 1 hour, half an hour the connections
increases dramatically, and for the next halv hour they dicrease.
There seems to be no special time of day when it happens, it can be
anytime with a seemingly random delay until the next peak.
Anyone else got any ideas?
More information about the questions