[Pool] DDoS Type Attack

Matt Wagner mwaggy at gmail.com
Sat Feb 15 22:04:50 UTC 2014

On Sat, Feb 15, 2014 at 9:20 AM, Andreas Krüger <timekeeper at famsik.de>wrote:

> Hello, Hassan,
> if your server is intended to be a _public_ server, that is, reachable
> from outside
> your own private network, you should not restrict requests to source
> port 123.
> I disagree with Mouse's position that one need not bother to serve clients
> behind NAT. (From where I come from, I consider that a minority and rather
> extreme position.)
> If another argument is still needed, blocking requests with source port
> different from 123 essentially says: The common "ntpdate" utility generates
> illegitimate traffic when operated with "-d".

Thanks to a friend for digging up the relevant portion of the RFC:


The source port only needs to be 123 in symmetric mode. Blocking requests
with a source port of 123 isn't choosing to accommodate NAT; it has little
do with NAT. It's ignoring the RFC and dropping requests from legitimate
clients that don't set up a symmetric association.

More information about the pool mailing list