[ntp:questions] Very rapid polling

Danny Mayer mayer at ntp.org
Sun Feb 15 04:37:09 UTC 2009


Eric wrote:
> On Tue, 10 Feb 2009 23:38:07 -0500, "Richard B. Gilbert"
> <rgilbert88 at comcast.net> wrote for the entire planet to see:
> 
>> Danny Mayer wrote:
>>> Eric wrote:
>>>> The only mitigation I can think of here is for NTP to not respond to
>>>> excessive rate queries at all, or very infrequently, after the KOD.
>>>>
>>>> - Eric
>>> That's what the latest code does.
>>>
>>> Danny
>> If ntpd responds to such DOS attacks with the WRONG YEAR or random 
>> date-times, it might discourage the perpetrators.
> 
> Not really.  If it's really a DDoS attempt the source address won't belong
> to an NTP server and the packet will be discarded, sooner or later.  It's
> value is just to clog the pipes.  And anyway, there seems to be a general
> consensus that sending the wrong time is wrong.  Just don't send it, or
> simply mark it invalid or KOD or all zeros, or all three.  No need to
> attempt to confound the "requester".    

There is no way to mark an NTP packet as invalid but then why would you
even bother to send an invalid packet in the first place. You can send a
KOD packet but 99% of the clients out there won't know what it is and
assume that the ntp timestamps are valid. Also all zeros means the wrong
time.

Danny



More information about the questions mailing list