On Mon, Feb 10, 2014 at 11:19:51AM +0000, Jim Reid wrote: > On 10 Feb 2014, at 10:42, "David J Taylor" <[email protected]> > wrote: > > This is just a personal precaution. I have not heard > > un-amplified reflection actually takes place. > > Well now you just have. :-( > > My NTP server was recently killed by such an attack (no monlist). It was > getting far in excess of 50K qps, possibly well over 100K qps. Things were so > bad any IPv4 traffic was just about impossible because the server's IPv4 > stack -- internal data structures, buffer resources, etc -- had been > overwhelmed. That box is no longer in the pool and will probably never > return. Another NTP server I ran which wasn't in the pool got DDoS'ed last > week in a similar attack and it didn't do monlist either.
Were the servers configured with restrict noquery? I'm wondering if they used normal NTP client request (mode 3) or just a different command than monlist. -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
