[Pool] [D]DoS attack characteristics and mitigation

Miroslav Lichvar mlichvar at redhat.com
Mon Feb 10 11:32:37 UTC 2014

On Mon, Feb 10, 2014 at 11:19:51AM +0000, Jim Reid wrote:
> On 10 Feb 2014, at 10:42, "David J Taylor" <david-taylor at blueyonder.co.uk> wrote:
> > This is just a personal precaution.  I have not heard
> > un-amplified reflection actually takes place.
> Well now you just have. :-(
> My NTP server was recently killed by such an attack (no monlist). It was getting far in excess of 50K qps, possibly well over 100K qps. Things were so bad any IPv4 traffic was just about impossible because the server's IPv4 stack -- internal data structures, buffer resources, etc -- had been overwhelmed. That box is no longer in the pool and will probably never return. Another NTP server I ran which wasn't in the pool got DDoS'ed last week in a similar attack and it didn't do monlist either.

Were the servers configured with restrict noquery? I'm wondering if
they used normal NTP client request (mode 3) or just a different
command than monlist.

Miroslav Lichvar

More information about the pool mailing list