[Pool] DDoS Type Attack

Nyamul Hassan nyamul at gmail.com
Sun Feb 16 18:56:20 UTC 2014

Thank you Fabian Wenk for your response.  All these 8-12 Mbps is against
5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps

We also noted that, almost invariably, the remote ports are not 123.

Our ntp.conf settings are as follows:

restrict default limited kod notrap nopeer
restrict ::
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
logfile /var/log/ntp.log

Thank you once again for your help!


On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <fabian at wenks.ch> wrote:

> Hello Nyamul
> On 16.02.14 04:33, Nyamul Hassan wrote:
>> After enabling each of them, we tried "disabling" the rule we enforced
>> earlier (the one blocking remote clients which did not have a source port
>> of 123) for one of our "high target" servers.  As soon as we lifted that
>> rule, that server spiked outbound UDP traffic around 8-12 Mbps level
>> throughout the 1-2 hours we kept the test running.
> I do not know what bandwidth you have set for the Pool and in which zone
> this server is. This would be helpful to know, as this does have quite an
> impact on how many requests the server is getting. E.g. if you have set it
> to 1 Gbit/s and are in a zone and region with just a few server, you could
> get much more traffic, then with a lower bandwidth in a zone / region with
> a lot of servers. Depending on this 2 parameters, eventually the 8-12
> Mbits/s are just normal legit ntp requests.
> I do have some other questions.
> Are you seeing the same amount of requests or packets in inbound and
> outbound?
> What are your settings for the 'restrict default' line in ntp.conf, are
> you using the options below?
> restrict default limited kod notrap nomodify nopeer noquery
> As suggested from Rob Janssen, you may leave out the 'kod' option.
>  Can someone suggest where the rules are failing to stop outbound traffic
>> over extended periods?
> If this are legit requests, then you should not block outbound traffic to
> them, you should serve them with time.
> My recommendation is to let ntpd do the rate limiting and not blocking /
> limiting traffic with iptables or such.
> bye
> Fabian
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool

More information about the pool mailing list