> there are not only DDoS amplifier. I see many dumb queries with 0.3-2 second > interval. Looks like sources located behind NAT, does not NAT'ed correctly > and does not recieve my answers. Or just it have "broken" ntp client. Or > DDoS reflection attack. It still exists by simple queries with spoofed > source ip. One of my clients sometimes gets such flood at 5-10Gbit/s.
I've seen a few piggy clients where whois indicates that it is likely to be a NAT box. One was a hotel, the other was an ISP block labeled DHCP clients. They have been piggy, but at least sane. I've seen a few others that seemed more like DDoS redirections but no hard evidence. > Looks like MRU reduce reply rate to this queries by 20-25%. I typically have > 4kpps input and 3-3.2kpps output on server. Is the CPU saturated? If not, there should be some counter that indicates why the packet didn't generate a response. (It wouldn't surprise me if there are missing cases, but if we find any, I'll fix that.) -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel