Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) OptionsforDHCPv6

Mark Andrews <> Mon, 26 November 2007 12:01 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1Iwceq-0001TO-F6; Mon, 26 Nov 2007 07:01:48 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1Iwcep-0001TI-1v for; Mon, 26 Nov 2007 07:01:47 -0500
Received: from ([2001:470:1f00:820:214:22ff:fed9:fbdc]) by with esmtp (Exim 4.43) id 1Iwceh-0003rG-66 for; Mon, 26 Nov 2007 07:01:47 -0500
Received: from (localhost []) by (8.14.1/8.14.1) with ESMTP id lAQC1NS8060633; Mon, 26 Nov 2007 23:01:24 +1100 (EST) (envelope-from
Message-Id: <>
From: Mark Andrews <>
Subject: Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP) OptionsforDHCPv6
In-reply-to: Your message of "Mon, 26 Nov 2007 11:27:06 -0000." <>
Date: Mon, 26 Nov 2007 23:01:23 +1100
X-Spam-Score: -1.4 (-)
X-Scan-Signature: f66b12316365a3fe519e75911daf28a8
X-Mailman-Version: 2.1.5
Precedence: list
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

> Surely an ISP DNS must suffer the same issue. How do DNS implementations
> deal with the same problem given that the "attack" traffic then happens
> far more often. 

	If the SOHO boxs all handed out the same address for the DNS
	servers then there would be a problem.

	It reality there isn't because ISP's configure the DHCP
	servers to point to the ISP's caching DNS servers.  The SOHO
	boxes just re advertise what they have learnt from upstream.

	ISP's will do similar things with NTP servers.  They will point
	the DHCP clients to their NTP servers.  SOHO routeres will just
	re advertise what they learnt.

	This is a non-issue.

> -----Original Message-----
> From:
> [] On Behalf Of
> Danny Mayer
> Sent: 26 November 2007 04:41
> To: Ted Lemon
> Cc:;; Richard Gayraud (rgayraud)
> Subject: Re: [ntpwg] [dhcwg] Re: Network Time Protocol (NTP)
> OptionsforDHCPv6
> Ted,
> Let me try and outline the problem again and please come up with an idea
> which solves this.
> 1) The DHCP environment is divided into essentially two groups: Hardware
> like Netgear and Linksys routers and Software like ISC's DHCP Server and
> Nominum's Dynamic Configuration Server. IETF doesn't allow you to create
> a protocol which differentiate between these cases.
> The software side of the DHCP implementations are usually run by
> organizations for their internal use and are actively maintained. I have
> few worries about these since it's easy to deal with (relatively
> speaking) errors that the sysadmins make.
> The SOHO routers are different since the DHCP servers are built into the
> firmware and shipped in their 10's of thousands to individuals and small
> businesses who want wireless connections and routers but don't want to
> be in the business of configuring and maintaining them.
> So let's say Acme Routers ships a router with a builtin DHCP server
> which provides NTP server addresses to provide to the DHCP clients and
> they put just one address in it. Now say Starbucks gets all excited
> about how cheap they are and buys them for all their coffee stores. Now
> you have DHCP providing and amplication DDOS attack as all of those
> people sitting there laptops are all set up with the same NTP server
> address and sending NTP packets to the same NTP server. Note that in the
> UWisc/Netgear incident it was the NTP server built into the router that
> was the problem but it was only one server. Here we are having the
> router distributing the address to other systems which then do the dirty
> work and you'd get 10 times the effect of a Netgear incident. This is
> the problem that I'm trying to solve or rather mitigate.
> I refer you to the UWisc/Netgear incident paper that Dave Mills and Dave
> Plonka wrote:
> The brief slide version is here:
> It also discusses the loads on a number of other servers inclusing NIST
> and USNO
> PHK's incident with D-Link is written up here:
> I await your suggestions on how to prevent the routers becoming
> amplifiers via DHCP to bombarding NTP servers.
> Danny
> _______________________________________________
> ntpwg mailing list
> _______________________________________________
> ntpwg mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:

dhcwg mailing list