[ntp:questions] Very rapid polling

Danny Mayer mayer at ntp.org
Thu Feb 26 04:01:44 UTC 2009

jlevine wrote:
> Thanks to all of you who responded to my initial post regarding very
> rapid
> polling. I have fixed this particular instance with some cooperation
> from the
> ISP. However, the generic problem remains and is likely to re-appear.
> I don't know of a good general solution to this problem because:
>    1. the KOD packets are generally not effective. Either the remote
> software
> does not recognize them or it chooses to ignore them. The KOD method
> obviously would not work against an attack.
>    2. Sending any reply at all doubles the network traffic and makes
> an
> attack more effective. Therefore, all of the NIST servers log the
> event and
> the source ip but do not respond. I think it is not appropriate for a
> national
> timing laboratory to knowingly send the wrong time.
>    3. This sort of stuff is really more general than NTP -- denial of
> service
> attacks can use many different protocols and a more general network
> solution is going to be needed.
>    4. A serious denial-of-service attack probably requires a botnet to
> cause
> real trouble, and fixing that problem might reduce the impact of all
> denial
> of service attacks.
> Judah Levine
> Time and Frequency Division
> NIST Boulder

We should go through BCP 38 (RFC 2827) and see if there is something
that we can do on the basis of that document. It will take time for
review. Did you discover anything specific about the abusive clients?


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the questions mailing list