On Mon, Feb 10, 2014 at 12:14:10PM +0000, Jim Reid wrote: > >> My NTP server was recently killed by such an attack (no monlist). It was > >> getting far in excess of 50K qps, possibly well over 100K qps. Things were > >> so bad any IPv4 traffic was just about impossible because the server's > >> IPv4 stack -- internal data structures, buffer resources, etc -- had been > >> overwhelmed. That box is no longer in the pool and will probably never > >> return. Another NTP server I ran which wasn't in the pool got DDoS'ed last > >> week in a similar attack and it didn't do monlist either. > > > > Were the servers configured with restrict noquery? > > Yes. They've configured that way for years: > > % grep noquery /etc/ntp.conf > restrict default kod nomodify notrap nopeer noquery limited > restrict -6 default kod nomodify notrap nopeer noquery limited
That's odd. With noquery the server should respond only to normal client requests and with limited+kod the outgoing packet rate should be much smaller and not useful for an amplification/reflection attack. Any chance the config also has "disable monitor"? That effectively disables the limited and kod options. -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
