[Pool] DDoS Type Attack

Jim Reid ntp-pool at rfc1035.net
Thu Feb 13 23:33:42 UTC 2014

On 13 Feb 2014, at 23:18, Nyamul Hassan <nyamul at gmail.com> wrote:

> From the documentation, and all literature that I can find on the internet,
> it seems any remote client who needs to talk to our NTP servers on UDP 123,
> must also originate the request from UDP 123.

Whatever you've found is wrong.

NTP servers exchanging timestamps with other NTP servers will generally use port 123 for both the source and destination port numbers on those packets. Edge clients and utilities like ntpq should be using random source port numbers whenever they talk to an NTP server.

> Considering this, we have firewalled any traffic for/from UDP 123 on our servers that does not
> start/end in UDP 123 on the remote machines.
> Could someone confirm if this is correct?

Depends on how you define "correct".

> Or are we blocking legitimate reqeusts as well?

Depends on how you define "legitimate".

What you've done is probably fine. Almost nobody outside your network should be querying your NTP servers or answering queries from them. Blocking that traffic is unlikely to break anything and it should significantly reduce your exposure to DDoS attacks.

Make sure though that you open up the firewall to allow your trusted NTP servers to speak NTP to their upstream peers. ie A small number of your NTP servers can get the time from NTP servers on the Internet (say) and your servers then feed the time to any downstream servers and clients *inside* your net.

More information about the pool mailing list