[ntp:questions] NTP Denial of Service attack 29 November 2011

Rob nomail at example.com
Wed Nov 30 17:26:04 UTC 2011


unruh <unruh at invalid.ca> wrote:
> On 2011-11-30, Rob <nomail at example.com> wrote:
>> Danny Mayer <mayer at ntp.org> wrote:
>>> On 11/29/2011 4:57 PM, Rich wrote:
>>>> 
>>>>> Isn't that a bit wide a range to block for only 4 IPs?
>>>>> What makes you think any further attacks will come from the same range?
>>>>>
>>>> Only my 17 years experience at the stratum 1 level.  I see little
>>>> value in providing NTP to Asian Pacific networks from Washington, DC.
>>>
>>>
>>> I agree. Not following the rules of engagement for stratum 1/2 servers
>>> can mean you block all NTP traffic from those nodes or issuing
>>> occasional KOD packets to those nodes.
>>
>> Yes, sure.   But blocking an entire region because of 4 abusers?
>
> Why not. As he says, he sees no reason to supply time to somewhere half
> a world away. It would be lousy time anyway. And if providing it causes
> trouble as well, that makes the decision easy. 

He does not only block entire /8 networks based on his own evaluation
of the value of his service to people in those networks, he also advises
others to do the same.

That means he is not really concerned that the time service of his server
would be of no value to those people; he just wants to deprive the
people of that network from all NTP service.

I think it is disgusting.  Hackers live everywhere, also in the USA.
Cutting off a whole region from NTP service is not going to solve that.
When they really are after his service, the hackers will quickly find
a network from where they can DOS his server and which he cannot cut
off so lightheartedly at /8 level.

But the worst is his recommendation to others to do the same.
Everyone can decide what networks to block on his servers based on his
own personal judgement and service criteria.  But recommending others
to blindly follow that is well over the line of acceptable.



More information about the questions mailing list