The somewhat illegal fix for NTP attacks

Baldur Norddahl baldur.norddahl at
Fri Feb 21 22:08:13 UTC 2014


The following would probably be illegal so do not actually do this. But
what if... there are just 4 billion IPv4 addresses. Scanning that
address-space for open NTP is trivially done in a few hours. Abusing these
servers for reflection attack is as trivial, hence the problem. How can we
get the responsible parties to fix their NTP servers?

Answer: DDoS them. With their own service.

Or it could be a DDoS defense. As a victim of an ongoing NTP reflection
attack, you know exactly the IP-addresses of the vulnerable NTP servers
used to attack you. Make them stop by sending back forged NTP packets, so
they use up their available bandwidth to DDoS each other instead of you.

This could even be automated. If you let them attack their next-hop as
discovered by traceroute, it might not even be illegal or harmful. They
will only bring down their own link, do no more harm to the internet at
large and they can fix it by stopping the NTP service. If they are part of
an ongoing DDoS attack it is just self defence to shut them down in the
least harmful way possible.



More information about the NANOG mailing list