UDP/123 policers & status

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steven Sommars said:
> The secure time transfer of NTS was designed to avoid amplification attacks.

I work on NTP software (ntpsec).  I have a couple of low cost cloud servers in 
the pool where I can test things and collect data.

I see bursts of 10K to several million packets "from" the same IP Address at 
1K to 10K packets per second.  Ballpark of 100 events per day, depending on 
the size cutoff.  I saw one that lasted for most of a day at 1K packeets/sec.

All the packets I've seen have been vanilla NTP requests - no attempt at 
amplification.  I'm only checking a very small fraction of the garbage.

I haven't seen any pattern in the target IP Address.  Reverse DNS names that 
look like servers are rare.  I see legitimate NTP requests from some of the 
targets.

Would data be useful?  If so, who, what, ... (poke me off list)

I don't see any good solution that a NTP server can implement.  If I block 
them all, the victim can't get time.  If I let some fraction through, that 
just reduces the size of the DDoS.  I don't see a fraction that lets enough 
through so the victim is likely to get a response to a legitimate request 
without also getting a big chunk of garbage.  I'm currently using a fraction 
of 0.  If the victim is using several servers, one server getting knocked out 
shouldn't be a big deal.  (The pool mode of ntpd should drop that system and 
use DNS to get another.)

If NTS is used, it would be possible to include the clients IP Address in the 
cookie and only respond to requests with cookies that were issued to the 
client.  That has privacy/tracking complications.

----------

I don't want to start a flame war, but why isn't BCP 38 widely deployed?  Can 
somebody give me a pointer to a talk at NANOG or such?  What fraction of the 
world does implement BCP 38?

I'd also be interested in general background info on DDoS.  Who is DDoS-ing 
whom and/or why?  Is this gamers trying to get an advantage on a competitor?  
Bad guys making a test run to see if the server can be used for a real run?  
Is DDoS software widely available on the dark web?  ...





-- 
These are my opinions.  I hate spam.

• Previous message (by thread): UDP/123 policers & status
• Next message (by thread): UDP/123 policers & status
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]