[ntp:questions] Possible new attack?
cswiger at mac.com
Mon Oct 6 18:53:46 UTC 2014
On Oct 6, 2014, at 11:36 AM, Evandro Menezes <aevandro at gmail.com> wrote:
> I've noticed a couple of NTP clients with the unusual avgint of 16s with hundreds of accesses to my NTP server in the pool. I added a restriction, in addition to the recommended ones already in place, to cope with the suspicious clients bumping the discard average threshold to 32s. Eventually, KoD kicked them out, but they returned again and again, but each time with a different source UDP port. I'd think that were it the case of an improperly configured, though kosher, NTP client, it would not haunt the server again after a KoD. I suspect that it's the case of zombie systems running some sort of DoS bot. If so, is this the behavior of the recent DRDoS attack or a new attack on NTP?
Unfortunately, many of the minimal NTP/SNTP clients baked into the firmware of phone switches, routers, and such are truly brain-dead and will not only ignore KoD replies, some of them will even start polling at 1-second intervals. You're better off firewalling off IPs which poll at abusive rates rather than hoping that ntpd's restrict/KoD stuff will help.
You can try to contact the remote sites and ask them to fix their broken NTP clients, but expect lots of pushback.
More information about the questions