[Pool] [D]DoS attack characteristics and mitigation

Jim Reid ntp-pool at rfc1035.net
Mon Feb 10 12:14:10 UTC 2014


On 10 Feb 2014, at 11:32, Miroslav Lichvar <mlichvar at redhat.com> wrote:

>> My NTP server was recently killed by such an attack (no monlist). It was getting far in excess of 50K qps, possibly well over 100K qps. Things were so bad any IPv4 traffic was just about impossible because the server's IPv4 stack -- internal data structures, buffer resources, etc -- had been overwhelmed. That box is no longer in the pool and will probably never return. Another NTP server I ran which wasn't in the pool got DDoS'ed last week in a similar attack and it didn't do monlist either.
> 
> Were the servers configured with restrict noquery? 

Yes. They've configured that way for years:

% grep noquery /etc/ntp.conf 
restrict	default kod nomodify notrap nopeer noquery limited
restrict	-6 default kod nomodify notrap nopeer noquery limited

Sadly, I have no data on the attack source or what its packets looked like.



More information about the pool mailing list