[Pool] DDoS Type Attack

Nyamul Hassan nyamul at gmail.com
Thu Feb 13 23:41:09 UTC 2014

Thank you for the quick response!

We are currently using these base rules:

restrict default limited kod notrap nopeer
server clock.isc.org
server bonehed.lcs.mit.edu
server time.nist.gov
peer xxx1
peer xxx2
peer xxx3
peer xxx4
disable monitor     ###  This was added recently
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
logconfig all
logfile /var/log/ntp.log

We'll add the "noquery" as you suggested to the top line.  Would you have
any other suggestions for us?


On Fri, Feb 14, 2014 at 5:29 AM, Anssi Johansson <timekeeper at miuku.net>wrote:

> Nyamul Hassan kirjoitti:
>  From the documentation, and all literature that I can find on the
>> internet,
>> it seems any remote client who needs to talk to our NTP servers on UDP
>> 123,
>> must also originate the request from UDP 123.  Considering this, we have
>> firewalled any traffic for/from UDP 123 on our servers that does not
>> start/end in UDP 123 on the remote machines.
>> Could someone confirm if this is correct?  Or are we blocking legitimate
>> reqeusts as well?
> You are blocking legitimate requests as well. One example: traffic coming
> from behind NAT firewalls. NAT changes the source port to some other port.
> Adding "limited kod" to your "restrict default" line in ntp.conf is
> usually a rather good countermeasure. I would also suggest adding "noquery"
> to that line to prevent the recent NTP amplification attacks.
> See http://support.ntp.org/bin/view/Support/AccessRestrictions and
> http://support.ntp.org/bin/view/Main/SecurityNotice#
> DRDoS_Amplification_Attack_using
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool

More information about the pool mailing list