[Pool] DDoS Type Attack

Nyamul Hassan nyamul at gmail.com
Sun Feb 16 03:33:55 UTC 2014

Thank you all for your valuable comments / suggestions.

I also agree with the notion that stopping legitimate requests is
undesirable.  While we can always pull our servers off the "pool", but that
is also not something we want.

As suggested, we have gone through some previous emails on this list, and
implemented a rate-limiting in iptables through two different methods:

#Method 1
-A INPUT -p udp -m udp --dport 123 -m hashlimit --hashlimit-name ntp
--hashlimit-upto 15/min --hashlimit-burst 10 --hashlimit-mode srcip
--hashlimit-htable-expire 3600000 -j ACCEPT -m comment --comment "Check NTP"
-A INPUT -p udp -m udp --dport 123 -j DROP

#Method 2
-A INPUT -p udp --dport 123 -m recent --name ntp --rcheck --seconds 50
--hitcount 10 -j DROP
-A INPUT -p udp --dport 123 -m recent --name ntp --set

After enabling each of them, we tried "disabling" the rule we enforced
earlier (the one blocking remote clients which did not have a source port
of 123) for one of our "high target" servers.  As soon as we lifted that
rule, that server spiked outbound UDP traffic around 8-12 Mbps level
throughout the 1-2 hours we kept the test running.

Can someone suggest where the rules are failing to stop outbound traffic
over extended periods?


On Sun, Feb 16, 2014 at 4:11 AM, Rob Janssen <rob at knoware.nl> wrote:

> Andreas Krüger wrote:
>> Sending KOD packets is a true waste of time and resources!
>> They don't hurt.  And sending them makes me feel better.  (I
>> don't mind to be the "caller in the wilderness" guy.)  What makes
>> me feel better and is cheap and easy enough to do, I don't call a
>> waste.  ;-)
>> Why do they make me feel better?  They are in the standard.
> I experimented with sending KOD when I saw there were clients that were
> sending too many queries,
> and I found that at least one of those badly implemented client programs
> that sent way too
> many queries reacted to KOD by immediately re-trying the query.
> Instead of sending maybe 1 query every 10 seconds, it went to sending
> queries as fast
> as they could be bounced back an forth across the link.
> I think those that see astronomic query rates should first remove KOD and
> see if that fixes it.
> Other client programs simply ignored the KOD and kept on going as they
> were before.
> I think only the standard ntpd understands KOD, and isn't normally
> misbehaving anyway.
> Rob
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool

More information about the pool mailing list