[ntp:questions] Very rapid polling

Unruh unruh-spam at physics.ubc.ca
Mon Feb 23 18:12:40 UTC 2009

jlevine <jlevine at boulder.nist.gov> writes:

>Thanks to all of you who responded to my initial post regarding very
>polling. I have fixed this particular instance with some cooperation
>from the
>ISP. However, the generic problem remains and is likely to re-appear.

Could you tell us what the problem was? Was it an attack or a
misconfiguration or a bug in some program? 

>I don't know of a good general solution to this problem because:

>   1. the KOD packets are generally not effective. Either the remote
>does not recognize them or it chooses to ignore them. The KOD method
>obviously would not work against an attack.
>   2. Sending any reply at all doubles the network traffic and makes
>attack more effective. Therefore, all of the NIST servers log the
>event and
>the source ip but do not respond. I think it is not appropriate for a
>timing laboratory to knowingly send the wrong time.
>   3. This sort of stuff is really more general than NTP -- denial of
>attacks can use many different protocols and a more general network
>solution is going to be needed.
>   4. A serious denial-of-service attack probably requires a botnet to
>real trouble, and fixing that problem might reduce the impact of all
>of service attacks.

>Judah Levine
>Time and Frequency Division
>NIST Boulder

More information about the questions mailing list