[ntp:questions] Very rapid polling

Eric nospam-01 at jensenresearch.com
Wed Feb 11 20:53:10 UTC 2009

On Tue, 10 Feb 2009 23:38:07 -0500, "Richard B. Gilbert"
<rgilbert88 at comcast.net> wrote for the entire planet to see:

>Danny Mayer wrote:
>> Eric wrote:
>>> The only mitigation I can think of here is for NTP to not respond to
>>> excessive rate queries at all, or very infrequently, after the KOD.
>>> - Eric
>> That's what the latest code does.
>> Danny
>If ntpd responds to such DOS attacks with the WRONG YEAR or random 
>date-times, it might discourage the perpetrators.

Not really.  If it's really a DDoS attempt the source address won't belong
to an NTP server and the packet will be discarded, sooner or later.  It's
value is just to clog the pipes.  And anyway, there seems to be a general
consensus that sending the wrong time is wrong.  Just don't send it, or
simply mark it invalid or KOD or all zeros, or all three.  No need to
attempt to confound the "requester".    

More information about the questions mailing list