[ntp:questions] Very rapid polling

Eric nospam-01 at jensenresearch.com
Tue Feb 10 19:23:58 UTC 2009


On Mon, 9 Feb 2009 14:07:26 -0800 (PST), jlevine <jlevine at boulder.nist.gov>
wrote for the entire planet to see:

>In the last few days I have seen an increasing number of systems that
>are requesting the time in NTP format several times per second. 

Have you considered the possibility that they are spoofed queries from a
botnet?  There are some records of which IPs are the current/past targets.

There have been a number of recent DDoS attacks using spoofed UDP packets.
The usual attack uses port 53 (DNS) and attempts to get 'amplification' of
a small query into a large response towards the victim IP.  NTP packets are
the same size both ways, but might still be used to help with a flood.

The only mitigation I can think of here is for NTP to not respond to
excessive rate queries at all, or very infrequently, after the KOD.

- Eric








More information about the questions mailing list