On 10 Feb 2014, at 11:32, Miroslav Lichvar <[email protected]> wrote:
>> My NTP server was recently killed by such an attack (no monlist). It was >> getting far in excess of 50K qps, possibly well over 100K qps. Things were >> so bad any IPv4 traffic was just about impossible because the server's IPv4 >> stack -- internal data structures, buffer resources, etc -- had been >> overwhelmed. That box is no longer in the pool and will probably never >> return. Another NTP server I ran which wasn't in the pool got DDoS'ed last >> week in a similar attack and it didn't do monlist either. > > Were the servers configured with restrict noquery? Yes. They've configured that way for years: % grep noquery /etc/ntp.conf restrict default kod nomodify notrap nopeer noquery limited restrict -6 default kod nomodify notrap nopeer noquery limited Sadly, I have no data on the attack source or what its packets looked like. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
