[Pool] [D]DoS attack characteristics and mitigation

Jim Reid ntp-pool at rfc1035.net
Mon Feb 10 11:19:51 UTC 2014

On 10 Feb 2014, at 10:42, "David J Taylor" <david-taylor at blueyonder.co.uk> wrote:

> I throw in rate-limiting.  So my server can also not be used
> for "reflection" attacks.  Where some rogue client floods
> my server with normal "ask the time" requests
> with forged sender (the victim's IP). The victim would
> see a flood of answers regarding questions it never asked.
> This kind of attack provides no amplification, but hides
> the attacker's IP, from the victim's point of view.

That in itself can be enough. I suspect that for some attackers, any amplification factor is just an added bonus. They may well know they're doing damage but not so aware of its impact and what could make that worse. It's also unclear if these attacks are motivated by (targeted) malice or if it's script kiddies doing the equivalent of shouting "Fire!" in a crowded theatre.

> This is just a personal precaution.  I have not heard
> un-amplified reflection actually takes place.

Well now you just have. :-(

My NTP server was recently killed by such an attack (no monlist). It was getting far in excess of 50K qps, possibly well over 100K qps. Things were so bad any IPv4 traffic was just about impossible because the server's IPv4 stack -- internal data structures, buffer resources, etc -- had been overwhelmed. That box is no longer in the pool and will probably never return. Another NTP server I ran which wasn't in the pool got DDoS'ed last week in a similar attack and it didn't do monlist either.

> But even with my dated version of ntpd, given what
> I learned in the recent discussion here on the list,
> I consider myself safe unless 600+ such attacks
> attempt to use my server against 600+ different
> victims simultaneously.

As the captain of the Titanic might have said: I see no icebergs. Full steam ahead!

Whatever defences are in ntpd and the kernel will probably not be enough for an NTP server that would be a juicy target -- close to a decent IX, lots of bandwidth, beefy CPU etc. These servers should get protection such as rate limiting, ACLs, traffic shaping and possibly ingress filtering from their upstream router(s). Defence in depth and all that.

BTW there are similar attacks going on against DNS servers. These usually have a 30+ to one amplification factor thanks to DNSSEC responses.

More information about the pool mailing list