[ntp:questions] Possible new attack?

Rob nomail at example.com
Tue Oct 7 07:54:01 UTC 2014


Evandro Menezes <aevandro at gmail.com> wrote:
> I've noticed a couple of NTP clients with the unusual avgint of 16s with hundreds of accesses to my NTP server in the pool.  I added a restriction, in addition to the recommended ones already in place, to cope with the suspicious clients bumping the discard average threshold to 32s.  Eventually, KoD kicked them out, but they returned again and again, but each time with a different source UDP port.  I'd think that were it the case of an improperly configured, though kosher, NTP client, it would not haunt the server again after a KoD.  I suspect that it's the case of zombie systems running some sort of DoS bot.  If so, is this the behavior of the recent DRDoS attack or a new attack on NTP?

Never send KoD on traffic that you don't like!
It serves no useful purpose.  Most badly behaving clients will ignore it,
the worst ones will react to it with a quick re-try.
It only drives up your outging traffic.  Just drop the offending traffic,
that saves you the effort of replying and makes it go away quicker.



More information about the questions mailing list