On Apr 7, 2006, at 6:02 PM, Mark Boolootian wrote:
Its just NTP, I can't imagine that it is *really* enough traffic
to care
all that much.
You're kidding, right? Do you know what happened to wisc.edu:
http://www.cs.wisc.edu/~plonka/netgear-sntp/
Correct me if I'm wrong, but... That was only "really" a problem for
them because there was a flaw in the Netgear code that caused the
devices to make requests every second. That's not (as far as I'm
aware) happening here, so we're not talking huge amounts of bandwidth.
We intentionally run public NTP servers, which are even in the
pool.ntp.org pool, as well as on some NTP lists. I've pegged about
35,000 unique IPs using our North America server in the last 24
hours, or about 175pps. Bandwidth usage is about 100Kbps per second
on average. The occasional burst up to 250Kbps+, but those are pretty
rare.
This link here: http://www.lightbluetouchpaper.org/2006/04/07/when-
firmware-attacks-ddos-by-d-link/ says he's getting 37pps. NTP uses
76 byte packets. 37pps * 76 byte packets = 22.4Kbps, or less than the
amount of traffic a dialup user can spew. If you're running a semi-
public server on the internet, and it can't handle a dialup user
flooding it - you need a firewall anyway. :)
I can see how unwanted NTP traffic could be a nuisance, but not how
it could possibly cost US$8,800 per year. Nor requiring the use of a
US$5000 "external consultant" to track down the source of the
traffic. Nor worthy of invoking the Slashdot masses in outrage. Let
alone why an additional traffic load of less than a dialup user
accessing your server in any way is worthy of caring. Bad on D-Link
for what they've done, but total overreaction on the other side as well.
I think the lesson here is that any service you make available to the
public (NTP, DNS, IRC, SMTP, whatever) is going to be used in ways
that do not match with your desires. If you're not willing to ACL/
police the service, you're going to have to accept that people are
going to use it in ways you'd rather they didn't.
