[Pool] DDoS Type Attack

Nyamul Hassan nyamul at gmail.com
Thu Feb 13 23:36:34 UTC 2014

Thanks for the quick response Jim!

We also wish to host a "public" NTP server.  Are there any safeguard rules
we can implement?

I was thinking about limiting every remote host to 2-3 requests per minute.


On Fri, Feb 14, 2014 at 5:33 AM, Jim Reid <ntp-pool at rfc1035.net> wrote:

> On 13 Feb 2014, at 23:18, Nyamul Hassan <nyamul at gmail.com> wrote:
> > From the documentation, and all literature that I can find on the
> internet,
> > it seems any remote client who needs to talk to our NTP servers on UDP
> 123,
> > must also originate the request from UDP 123.
> Whatever you've found is wrong.
> NTP servers exchanging timestamps with other NTP servers will generally
> use port 123 for both the source and destination port numbers on those
> packets. Edge clients and utilities like ntpq should be using random source
> port numbers whenever they talk to an NTP server.
> > Considering this, we have firewalled any traffic for/from UDP 123 on our
> servers that does not
> > start/end in UDP 123 on the remote machines.
> >
> > Could someone confirm if this is correct?
> Depends on how you define "correct".
> > Or are we blocking legitimate reqeusts as well?
> Depends on how you define "legitimate".
> What you've done is probably fine. Almost nobody outside your network
> should be querying your NTP servers or answering queries from them.
> Blocking that traffic is unlikely to break anything and it should
> significantly reduce your exposure to DDoS attacks.
> Make sure though that you open up the firewall to allow your trusted NTP
> servers to speak NTP to their upstream peers. ie A small number of your NTP
> servers can get the time from NTP servers on the Internet (say) and your
> servers then feed the time to any downstream servers and clients *inside*
> your net.

More information about the pool mailing list