[ntp:questions] Thoughts on KOD
magnus at rubidium.dyndns.org
Mon Jul 7 15:34:24 UTC 2014
On 07/07/2014 04:10 PM, Danny Mayer wrote:
> The experience with blocking has actually being negative and we have
> seen traffic actually INCREASE after it is blocked because the client,
> not having received a response, tries more often. This has been observed
> in the wild.
This might be true for proper NTP clients, but I wonder if this is true
for faked NTP requests from DDOSers. KOD fills no purpose for DDOSers,
so massive attacks is best handled by dropping that traffic, and
possibly push the dropping away from the node and subnet running the
server. For more modest overload scenarios as miss-configured or
otherwise error-ed NTP clients, I believe that what you describe is correct.
Let's not confuse these different scenarios, as they most probably have
different solutions. My point was that DDOS amplification/relaying
should be considered, as we need that solved, while KOD refinements is
maybe nice but addresses another problem.
I don't think you will be able to handle the DDOS issues without doing
blocking, and you want that blocking to move away from your server in
order to reduce the impact of the service.
More information about the questions