[Pool] DDoS Type Attack

John Kristoff jtk at cymru.com
Thu Feb 13 23:40:28 UTC 2014


On Fri, 14 Feb 2014 05:18:35 +0600
Nyamul Hassan <nyamul at gmail.com> wrote:

> From the documentation, and all literature that I can find on the
> internet, it seems any remote client who needs to talk to our NTP
> servers on UDP 123, must also originate the request from UDP 123.
> Considering this, we have firewalled any traffic for/from UDP 123 on
> our servers that does not start/end in UDP 123 on the remote machines.
> 
> Could someone confirm if this is correct?  Or are we blocking
> legitimate reqeusts as well?

This is an incorrect assumption.  While many systems, particularly
those based on the ntpd reference implementation do just as you
describe, others may not for at least a couple of reasons.

One reason is simply different implementations may use a different
source port selection strategy.  I believe openntpd.org for example is
just such an implementation. Another reason are NAP/PAT gateways that
rewrite source ports between some address/port perimeter where NTP
traffic may traverse.

It is also the case, but probably less important for your purposes,
that expected and legitimate mode 6/7 messages from tools such as ntpdc
and ntpq would use other ports.

John


More information about the pool mailing list