[Pool] DDoS Type Attack

Matt Wagner mwaggy at gmail.com
Fri Feb 14 15:52:12 UTC 2014

On Thu, Feb 13, 2014 at 6:33 PM, Jim Reid <ntp-pool at rfc1035.net> wrote:

> What you've done is probably fine. Almost nobody outside your network should be querying your NTP servers or answering queries from them. Blocking that traffic is unlikely to break anything and it should significantly reduce your exposure to DDoS attacks.

Isn't that the point of being in the pool? To answer queries from more
than your network? (Or are you referring to administrative queries?)

I am skeptical that blocking other ports other than 123 is solving the
root of your problem. FWIW, my machine in the pool shows probably at
least 50% of the queries (all seemingly legitimate) coming from ports
other than 123.

I would wager that the "inordinate amount" of requests you're seeing
comes from the monlist DDoS vulnerability that's been discussed here.
(Note that you might get some even if you're not vulnerable. Script
kiddies aren't always the brightest bulbs out there.) I have one
client still hitting me with monlist requests, even though I'm not
vulnerable -- and it's using source port 123. (Well, I don't know how
many clients it actually is -- but one source IP, surely spoofed.)

The configuration changes discussed down-thread should ensure that
you're not vulnerable and aren't inadvertently participating in a DDoS
attack. Your outbound bandwidth usage should fall, but the queries
attempting to exploit it will keep coming for a while.

You can look at the 'limited' and 'kod' keywords, but keep in mind
that they control how many requests you'll *respond* to, not how many
you're sent. The clients sending you excessive requests are unlikely
to also be the clients that are smart enough to back off when you stop
responding. And blocking them at the firewall level is just changing
who gets to drop the packets -- your firewall or ntpd. You can fiddle
with your bandwidth preferences for pool traffic, though I'm not sure
that abusers are using the pool versus just probing for IPs.

-- Matt

More information about the pool mailing list