[Pool] DDoS Type Attack

Anssi Johansson timekeeper at miuku.net
Thu Feb 13 23:29:57 UTC 2014


Nyamul Hassan kirjoitti:
> From the documentation, and all literature that I can find on the internet,
> it seems any remote client who needs to talk to our NTP servers on UDP 123,
> must also originate the request from UDP 123.  Considering this, we have
> firewalled any traffic for/from UDP 123 on our servers that does not
> start/end in UDP 123 on the remote machines.
> 
> Could someone confirm if this is correct?  Or are we blocking legitimate
> reqeusts as well?

You are blocking legitimate requests as well. One example: traffic 
coming from behind NAT firewalls. NAT changes the source port to some 
other port.

Adding "limited kod" to your "restrict default" line in ntp.conf is 
usually a rather good countermeasure. I would also suggest adding 
"noquery" to that line to prevent the recent NTP amplification attacks.

See http://support.ntp.org/bin/view/Support/AccessRestrictions and 
http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using


More information about the pool mailing list