On 2014-10-06, Charles Swiger <cswi...@mac.com> wrote: > On Oct 6, 2014, at 11:36 AM, Evandro Menezes <aevan...@gmail.com> wrote: >> I've noticed a couple of NTP clients with the unusual avgint of 16s with >> hundreds of accesses to my NTP server in the pool. I added a restriction, >> in addition to the recommended ones already in place, to cope with the >> suspicious clients bumping the discard average threshold to 32s. >> Eventually, KoD kicked them out, but they returned again and again, but each >> time with a different source UDP port. I'd think that were it the case of >> an improperly configured, though kosher, NTP client, it would not haunt the >> server again after a KoD. I suspect that it's the case of zombie systems >> running some sort of DoS bot. If so, is this the behavior of the recent >> DRDoS attack or a new attack on NTP? > > Unfortunately, many of the minimal NTP/SNTP clients baked into the firmware > of phone switches, routers, and such are truly brain-dead and will not only > ignore KoD replies, some of them will even start polling at 1-second > intervals. You're better off firewalling off IPs which poll at abusive rates > rather than hoping that ntpd's restrict/KoD stuff will help. >
Not only that but they are probably running ntp 3 systems, which does not have KOD. > You can try to contact the remote sites and ask them to fix their broken NTP > clients, but expect lots of pushback. Or you could start sending back wildly inaccurate times. > > Regards, _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions