[ntp:questions] London Metro newspaper misrepresent NTP amplification attack.

William Unruh unruh at invalid.ca
Thu Feb 13 06:56:15 UTC 2014

On 2014-02-12, David Woolley <david at ex.djwhome.demon.invalid> wrote:
> In this article, which also appeared in the paper version this morning, 
> they suggest that normal NTP time requests result in a much larger 
> response than the request.
> http://metro.co.uk/2014/02/11/the-start-of-ugly-things-to-come-hackers-flood-european-servers-in-biggest-computer-attack-of-its-kind-4300395/

Normal time packets are AFAIK the same size going out or coming back. 
Administration packets can be highly assymmetric (factors of 450 have
been claimed). I was spanked by the sysadmins at my Uni because I had
one ntpd server, and it was used in the DoS attack. Almost all of my
machines use chrony, and it was a lone holdout for testing. Since the
GPS 18 attached to it has died (both mine only lasted about 3 years) I
just took the ntpd off the air, and felt rather foolish, since I had
been the one that suggested that chrony be fixed ( and it has been by
Lichvar) to
make sure it does not amplify. And a week later I am the guilty party
with ntpd.

At least with chrony the default was always not to reply to external
commands. ntpd had the default to reply which was a bit silly.

More information about the questions mailing list