[Pool] [D]DoS attack characteristics and mitigation
ntp-pool at rfc1035.net
Mon Feb 10 12:14:10 UTC 2014
On 10 Feb 2014, at 11:32, Miroslav Lichvar <mlichvar at redhat.com> wrote:
>> My NTP server was recently killed by such an attack (no monlist). It was getting far in excess of 50K qps, possibly well over 100K qps. Things were so bad any IPv4 traffic was just about impossible because the server's IPv4 stack -- internal data structures, buffer resources, etc -- had been overwhelmed. That box is no longer in the pool and will probably never return. Another NTP server I ran which wasn't in the pool got DDoS'ed last week in a similar attack and it didn't do monlist either.
> Were the servers configured with restrict noquery?
Yes. They've configured that way for years:
% grep noquery /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery limited
restrict -6 default kod nomodify notrap nopeer noquery limited
Sadly, I have no data on the attack source or what its packets looked like.
More information about the pool