[Pool] [D]DoS attack characteristics and mitigation

Hal Murray hmurray at megapathdsl.net
Mon Feb 10 18:07:25 UTC 2014

ntp-pool at rfc1035.net said:
> My NTP server was recently killed by such an attack (no monlist). It was
> getting far in excess of 50K qps, possibly well over 100K qps. Things were
> so bad any IPv4 traffic was just about impossible because the server's IPv4
> stack -- internal data structures, buffer resources, etc -- had been
> overwhelmed. That box is no longer in the pool and will probably never
> return. Another NTP server I ran which wasn't in the pool got DDoS'ed last
> week in a similar attack and it didn't do monlist either. 

What sort of system was that?  How good was the network connection to the 
outside world?

> IMO if too many spoofed? packets reach the NTP server, the bad guys have won
> no matter what ntpd does. 

True.  I'd expect a modern CPU to be able to keep up with a 100 megabit link. 
 Anybody have any good numbers?

These are my opinions.  I hate spam.

More information about the pool mailing list