[Pool] DDOS protection check?

Hal Murray hmurray at megapathdsl.net
Thu Feb 13 08:07:52 UTC 2014


timekeeper at famsik.de said:
> The rogue ones could use a botnet to send junk in a DDOS attack, send that
> junk directly from the bots to the victim with no NTP server involved, but
> nevertheless the bots could forge the sender address to make it _appear_ the
> junk comes from legitimate NTP servers - hoping the victim's provider's
> admins will be fooled into contacting the NTP servers' admins. 

I think there are two interesting cases.

One is sending NTP "answers" to the victim with the source address forged to 
be an innocent NTP server.  That hides the source of the crap but doesn't 
provide any amplification.  We should have enough data collection stuff in 
the server to debug this.  Do we?  How does the old/released code compare to 
the new/ntp-dev code?

The other case is where the bad guy fakes an amplification attack with the 
source forged to be an innocent NTP server.  Assuming modest amounts of trust 
in the server operator, it's easy to test to see if the server supports 
amplification.  Just try it.  If the server responds to basic time requests 
but doesn't respond to monlist, the most likely problem is that the reporter 
jumped to the amplification conclusion because it's been in the news a lot 
recently.



-- 
These are my opinions.  I hate spam.





More information about the pool mailing list