[Pool] DDOS protection check?
hmurray at megapathdsl.net
Thu Feb 13 08:07:52 UTC 2014
timekeeper at famsik.de said:
> The rogue ones could use a botnet to send junk in a DDOS attack, send that
> junk directly from the bots to the victim with no NTP server involved, but
> nevertheless the bots could forge the sender address to make it _appear_ the
> junk comes from legitimate NTP servers - hoping the victim's provider's
> admins will be fooled into contacting the NTP servers' admins.
I think there are two interesting cases.
One is sending NTP "answers" to the victim with the source address forged to
be an innocent NTP server. That hides the source of the crap but doesn't
provide any amplification. We should have enough data collection stuff in
the server to debug this. Do we? How does the old/released code compare to
the new/ntp-dev code?
The other case is where the bad guy fakes an amplification attack with the
source forged to be an innocent NTP server. Assuming modest amounts of trust
in the server operator, it's easy to test to see if the server supports
amplification. Just try it. If the server responds to basic time requests
but doesn't respond to monlist, the most likely problem is that the reporter
jumped to the amplification conclusion because it's been in the news a lot
These are my opinions. I hate spam.
More information about the pool