[Pool] [D]DoS attack characteristics and mitigation

Jim Reid ntp-pool at rfc1035.net
Mon Feb 10 14:29:02 UTC 2014


On 10 Feb 2014, at 14:13, Miroslav Lichvar <mlichvar at redhat.com> wrote:

>>> Were the servers configured with restrict noquery? 
>> 
>> Yes. They've configured that way for years:
>> 
>> % grep noquery /etc/ntp.conf 
>> restrict	default kod nomodify notrap nopeer noquery limited
>> restrict	-6 default kod nomodify notrap nopeer noquery limited
> 
> That's odd. With noquery the server should respond only to normal
> client requests and with limited+kod the outgoing packet rate should
> be much smaller and not useful for an amplification/reflection attack.

Indeed. However my servers were (D)DoS'ed, probably in reflection attacks.

The point I was making was the above config file options didn't really help against those attacks on my NTP servers. So presumably if a bad guy's got a big enough botnet or using millions of fake source addresses ntpd's rate-limiting isn't up to the job => applying defensive measures in the upstream routers.

IMO if too many spoofed? packets reach the NTP server, the bad guys have won no matter what ntpd does.

Perhaps it's time to think about switching public NTP servers to TCP transport and only use UDP on the LAN? 

> Any chance the config also has "disable monitor"?

No.



More information about the pool mailing list