[ntp:questions] Very rapid polling

jlevine jlevine at boulder.nist.gov
Mon Feb 23 15:07:20 UTC 2009

Thanks to all of you who responded to my initial post regarding very
polling. I have fixed this particular instance with some cooperation
from the
ISP. However, the generic problem remains and is likely to re-appear.
I don't know of a good general solution to this problem because:

   1. the KOD packets are generally not effective. Either the remote
does not recognize them or it chooses to ignore them. The KOD method
obviously would not work against an attack.
   2. Sending any reply at all doubles the network traffic and makes
attack more effective. Therefore, all of the NIST servers log the
event and
the source ip but do not respond. I think it is not appropriate for a
timing laboratory to knowingly send the wrong time.
   3. This sort of stuff is really more general than NTP -- denial of
attacks can use many different protocols and a more general network
solution is going to be needed.
   4. A serious denial-of-service attack probably requires a botnet to
real trouble, and fixing that problem might reduce the impact of all
of service attacks.

Judah Levine
Time and Frequency Division
NIST Boulder

More information about the questions mailing list