[ntp:questions] DDOS attacks and NTP

Greg Troxel gdt at ir.bbn.com
Wed Nov 6 00:57:30 UTC 2013


Harlan Stenn <stenn at ntp.org> writes:

> Without knowing more about exactly what is involved, the one thing that
> leaps to mind is that folks should look at "restrict default noquery"
> with appropriate per-host or per-network overrides.

Two thoughts:

1) The big question is whether someone has really discovered something
that can be called amplification, vs just obscuring the source.  Even if
it's just regular NTP time exchange packets with forged source
addresses, it makes it that much harder for the victim to figure out the
source.

2) It would be unfortunate to lose the ability to diagnose random things
due to fear of DDOS.  So I wonder about a default strategy of
rate-limiting replies to queries based on source address and also
destination of the reply, should there be any replies sent to other than
the incoming source.  And perhaps these rate limits should log alarms.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.ntp.org/pipermail/questions/attachments/20131105/dff11712/attachment.sig>


More information about the questions mailing list