[Pool] DDoS Type Attack
timekeeper at famsik.de
Sat Feb 15 14:20:14 UTC 2014
if your server is intended to be a _public_ server, that is, reachable
your own private network, you should not restrict requests to source
I disagree with Mouse's position that one need not bother to serve clients
behind NAT. (From where I come from, I consider that a minority and rather
If another argument is still needed, blocking requests with source port
different from 123 essentially says: The common "ntpdate" utility generates
illegitimate traffic when operated with "-d".
Personally, I have at times used "ntpdate -d" with several ntp servers
to quickly compare how well they agree.
I'd say: Rate limiting is the way to go. I personally used iptables for
but am back to doing it inside ntpd, so that "KOD" - packets are sent.
Do not block on anything that can be forged easily.
Am 14.02.2014 00:18, schrieb Nyamul Hassan:
> Our public NTP servers have started receiving an inordinate amount of NTP
> requests. In order to mitigate the problem, we find that a lot of these
> queries are originating from or being sent to ports other than 123.
> From the documentation, and all literature that I can find on the internet,
> it seems any remote client who needs to talk to our NTP servers on UDP 123,
> must also originate the request from UDP 123. Considering this, we have
> firewalled any traffic for/from UDP 123 on our servers that does not
> start/end in UDP 123 on the remote machines.
> Could someone confirm if this is correct? Or are we blocking legitimate
> reqeusts as well?
> pool mailing list
> pool at lists.ntp.org
More information about the pool