[Pool] DDoS Type Attack

Mouse mouse at Rodents-Montreal.ORG
Fri Feb 14 13:35:47 UTC 2014


>> it seems any remote client who needs to talk to our NTP servers on
>> UDP 123, must also originate the request from UDP 123.

>> Could someone confirm if this is correct?  Or are we blocking
>> legitimate reqeusts as well?

> You are blocking legitimate requests as well.  One example: traffic
> coming from behind NAT firewalls. NAT changes the source port to some
> other port.

Opinions differ on how `legitimate' such traffic is.  My own stance is
that anyone doing NAT has earned any resulting brokenness by
deliberately corrupting packets in transit.

However, I don't think any spec calls for the use of port 123 on both
ends of NTP traffic, so even if you agree with my stance I see no
reason to think all non-123/123 traffic is due to NAT.  That is, at
best you're using a heuristic that mostly works - no worse than any
other heuristic, but no better, either, really.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list