[Pool] DDoS Type Attack

Brian Rak brak at constant.com
Fri Feb 14 00:02:32 UTC 2014


Specifically, what kind of requests are these?

Have you confirmed that you are not participating in DDOS attacks via 
the monlist command? (check ntpdc -c monlist YOURIP from a remote 
machine).  If you've only recently corrected the monlist issue, you'll 
still receive attack attempts for quite some time.


On 2/13/2014 6:18 PM, Nyamul Hassan wrote:
> Hi,
>
> Our public NTP servers have started receiving an inordinate amount of NTP
> requests.  In order to mitigate the problem, we find that a lot of these
> queries are originating from or being sent to ports other than 123.
>
>  From the documentation, and all literature that I can find on the internet,
> it seems any remote client who needs to talk to our NTP servers on UDP 123,
> must also originate the request from UDP 123.  Considering this, we have
> firewalled any traffic for/from UDP 123 on our servers that does not
> start/end in UDP 123 on the remote machines.
>
> Could someone confirm if this is correct?  Or are we blocking legitimate
> reqeusts as well?
>
> Regards
> HASSAN
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool



More information about the pool mailing list