[Pool] DDoS Type Attack

Brian Rak brak at constant.com
Mon Feb 17 02:58:02 UTC 2014


There are no use cases that outweigh the DDOS attack issues. Please see 
the pool recommendations:

http://www.pool.ntp.org/join/configuration.html

Management queries
Make the default configuration be to not allow "management queries". For 
ntpd this will be adding the "noquery" option to the default "restrict" 
lines, for example:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Fix your configuration, and you really won't have to worry about this 
anymore.


On 2/16/2014 5:56 PM, Nyamul Hassan wrote:
>>> restrict default limited kod notrap nopeer
>> Add noquery to the above list or your machines will allow DDoSing other
>> folks.
>>
>>
> Yes, we could.  But, some people on this list believe that "noquery" also
> restricts certain use cases, which as "Pool Servers" we should be able to
> accommodate.  What do you think?
>
> Regards
> HASSAN
>
>
>> H
>> --
>>> restrict 127.0.0.1
>>> restrict ::
>>> driftfile /var/lib/ntp/drift
>>> keys /etc/ntp/keys
>>> logconfig=all
>>> logfile /var/log/ntp.log
>>>
>>> Thank you once again for your help!
>>>
>>> Regards
>>> HASSAN
>>>
>>>
>>>
>>>
>>> On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <fabian at wenks.ch> wrote:
>>>
>>>> Hello Nyamul
>>>>
>>>>
>>>> On 16.02.14 04:33, Nyamul Hassan wrote:
>>>>
>>>>> After enabling each of them, we tried "disabling" the rule we enforced
>>>>> earlier (the one blocking remote clients which did not have a source
>> port
>>>>> of 123) for one of our "high target" servers.  As soon as we lifted
>> that
>>>>> rule, that server spiked outbound UDP traffic around 8-12 Mbps level
>>>>> throughout the 1-2 hours we kept the test running.
>>>>>
>>>> I do not know what bandwidth you have set for the Pool and in which
>> zone
>>>> this server is. This would be helpful to know, as this does have quite
>> an
>>>> impact on how many requests the server is getting. E.g. if you have
>> set it
>>>> to 1 Gbit/s and are in a zone and region with just a few server, you
>> could
>>>> get much more traffic, then with a lower bandwidth in a zone / region
>> with
>>>> a lot of servers. Depending on this 2 parameters, eventually the 8-12
>>>> Mbits/s are just normal legit ntp requests.
>>>>
>>>> I do have some other questions.
>>>>
>>>> Are you seeing the same amount of requests or packets in inbound and
>>>> outbound?
>>>>
>>>> What are your settings for the 'restrict default' line in ntp.conf, are
>>>> you using the options below?
>>>>
>>>> restrict default limited kod notrap nomodify nopeer noquery
>>>>
>>>> As suggested from Rob Janssen, you may leave out the 'kod' option.
>>>>
>>>>
>>>>   Can someone suggest where the rules are failing to stop outbound
>> traffic
>>>>> over extended periods?
>>>>>
>>>> If this are legit requests, then you should not block outbound traffic
>> to
>>>> them, you should serve them with time.
>>>>
>>>> My recommendation is to let ntpd do the rate limiting and not blocking
>> /
>>>> limiting traffic with iptables or such.
>>>>
>>>>
>>>> bye
>>>> Fabian
>>>>
>>>> _______________________________________________
>>>> pool mailing list
>>>> pool at lists.ntp.org
>>>> http://lists.ntp.org/listinfo/pool
>>>>
>>> _______________________________________________
>>> pool mailing list
>>> pool at lists.ntp.org
>>> http://lists.ntp.org/listinfo/pool
>>>
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool



More information about the pool mailing list