[Pool] [D]DoS attack characteristics and mitigation

Miroslav Lichvar mlichvar at redhat.com
Mon Feb 10 14:13:17 UTC 2014


On Mon, Feb 10, 2014 at 12:14:10PM +0000, Jim Reid wrote:
> >> My NTP server was recently killed by such an attack (no monlist). It was getting far in excess of 50K qps, possibly well over 100K qps. Things were so bad any IPv4 traffic was just about impossible because the server's IPv4 stack -- internal data structures, buffer resources, etc -- had been overwhelmed. That box is no longer in the pool and will probably never return. Another NTP server I ran which wasn't in the pool got DDoS'ed last week in a similar attack and it didn't do monlist either.
> > 
> > Were the servers configured with restrict noquery? 
> 
> Yes. They've configured that way for years:
> 
> % grep noquery /etc/ntp.conf 
> restrict	default kod nomodify notrap nopeer noquery limited
> restrict	-6 default kod nomodify notrap nopeer noquery limited

That's odd. With noquery the server should respond only to normal
client requests and with limited+kod the outgoing packet rate should
be much smaller and not useful for an amplification/reflection attack.

Any chance the config also has "disable monitor"? That effectively
disables the limited and kod options.

-- 
Miroslav Lichvar


More information about the pool mailing list