[Pool] DDoS Type Attack

Fabian Wenk fabian at wenks.ch
Sun Feb 16 15:54:17 UTC 2014

Hello Nyamul

On 16.02.14 04:33, Nyamul Hassan wrote:
> After enabling each of them, we tried "disabling" the rule we enforced
> earlier (the one blocking remote clients which did not have a source port
> of 123) for one of our "high target" servers.  As soon as we lifted that
> rule, that server spiked outbound UDP traffic around 8-12 Mbps level
> throughout the 1-2 hours we kept the test running.

I do not know what bandwidth you have set for the Pool and in 
which zone this server is. This would be helpful to know, as this 
does have quite an impact on how many requests the server is 
getting. E.g. if you have set it to 1 Gbit/s and are in a zone 
and region with just a few server, you could get much more 
traffic, then with a lower bandwidth in a zone / region with a 
lot of servers. Depending on this 2 parameters, eventually the 
8-12 Mbits/s are just normal legit ntp requests.

I do have some other questions.

Are you seeing the same amount of requests or packets in inbound 
and outbound?

What are your settings for the 'restrict default' line in 
ntp.conf, are you using the options below?

restrict default limited kod notrap nomodify nopeer noquery

As suggested from Rob Janssen, you may leave out the 'kod' option.

> Can someone suggest where the rules are failing to stop outbound traffic
> over extended periods?

If this are legit requests, then you should not block outbound 
traffic to them, you should serve them with time.

My recommendation is to let ntpd do the rate limiting and not 
blocking / limiting traffic with iptables or such.


More information about the pool mailing list