[Pool] DDoS Type Attack

Andreas Krüger timekeeper at famsik.de
Sat Feb 15 14:20:14 UTC 2014


Hello, Hassan,

if your server is intended to be a _public_ server, that is, reachable
from outside
your own private network, you should not restrict requests to source
port 123.

I disagree with Mouse's position that one need not bother to serve clients
behind NAT. (From where I come from, I consider that a minority and rather
extreme position.)

If another argument is still needed, blocking requests with source port
different from 123 essentially says: The common "ntpdate" utility generates
illegitimate traffic when operated with "-d".

Personally, I have at times used "ntpdate -d" with several ntp servers
to quickly compare how well they agree.

I'd say: Rate limiting is the way to go. I personally used iptables for
a while,
but am back to doing it inside ntpd, so that "KOD" - packets are sent.

Do not block on anything that can be forged easily.

Regards, Andreas



Am 14.02.2014 00:18, schrieb Nyamul Hassan:
> Hi,
>
> Our public NTP servers have started receiving an inordinate amount of NTP
> requests.  In order to mitigate the problem, we find that a lot of these
> queries are originating from or being sent to ports other than 123.
>
> From the documentation, and all literature that I can find on the internet,
> it seems any remote client who needs to talk to our NTP servers on UDP 123,
> must also originate the request from UDP 123.  Considering this, we have
> firewalled any traffic for/from UDP 123 on our servers that does not
> start/end in UDP 123 on the remote machines.
>
> Could someone confirm if this is correct?  Or are we blocking legitimate
> reqeusts as well?
>
> Regards
> HASSAN
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool



More information about the pool mailing list