[ntp:questions] NTP Denial of Service attack 29 November 2011

Rich schmidt.rich at gmail.com
Wed Nov 30 23:56:01 UTC 2011

On Nov 30, 5:34 pm, Danny Mayer <ma... at ntp.org> wrote:
> On 11/30/2011 12:26 PM, Rob wrote:
> > unruh <un... at invalid.ca> wrote:
> >> On 2011-11-30, Rob <nom... at example.com> wrote:
> >>> Danny Mayer <ma... at ntp.org> wrote:
> >>>> On 11/29/2011 4:57 PM, Rich wrote:
> >>>>>> Isn't that a bit wide a range to block for only 4 IPs?
> >>>>>> What makes you think any further attacks will come from the same range?
> >>>>> Only my 17 years experience at the stratum 1 level.  I see little
> >>>>> value in providing NTP to Asian Pacific networks from Washington, DC.
> >>>> I agree. Not following the rules of engagement for stratum 1/2 servers
> >>>> can mean you block all NTP traffic from those nodes or issuing
> >>>> occasional KOD packets to those nodes.
> >>> Yes, sure.   But blocking an entire region because of 4 abusers?
> >> Why not. As he says, he sees no reason to supply time to somewhere half
> >> a world away. It would be lousy time anyway. And if providing it causes
> >> trouble as well, that makes the decision easy.
> > He does not only block entire /8 networks based on his own evaluation
> > of the value of his service to people in those networks, he also advises
> > others to do the same.
> > That means he is not really concerned that the time service of his server
> > would be of no value to those people; he just wants to deprive the
> > people of that network from all NTP service.
> > I think it is disgusting.  Hackers live everywhere, also in the USA.
> > Cutting off a whole region from NTP service is not going to solve that.
> > When they really are after his service, the hackers will quickly find
> > a network from where they can DOS his server and which he cannot cut
> > off so lightheartedly at /8 level.
> > But the worst is his recommendation to others to do the same.
> > Everyone can decide what networks to block on his servers based on his
> > own personal judgement and service criteria.  But recommending others
> > to blindly follow that is well over the line of acceptable.
> Rich works for the US Military and as such he can decide what's best for
> the US Military. His recommendations to others are just that. As for
> Hackers, if this was being sent from the different places in the US it
> would have been a different decision and recommendation. The FBI would
> also be out investigating. They still may be.
> Danny

Someone is "at war" with USNO  NTP service. They could be students,
who knows?  But all of the offending addresses traced to Chinese
sites. In order to continue to provide NTP to US customers, USNO
elected to block Chinese networks at the /8 level whenever we were
able to trace the attacks to those networks.  Note that there are
2,605 known Chinese CIDR blocks. It takes some time to implement that
block list, and it requires considerable horsepower.   When it comes
to making a choice between staying online and denying USNO NTP to
China, we must unfortunately make the more secure choice.  In general,
access to DoD servers (including NTP servers) is blocked at the
NIPRNET boundary.  The USNO servers are an exception, but in light of
what happened yesterday, there will certainly be operational
restrictions imposed at a level higher than at USNO.   I am not at
liberty to further detail operational security.

It was never USNO's intention to serve the world from Washington, DC.
Nor is it my intention to promote blindly following my recommendations
regarding blocking networks. But my fellow stratum-1 operators should
be informed of specific threats as they develop.  I have a growing
list of specific IPs which you should block. Until this list is
classified you may contact me for the latest.

More information about the questions mailing list