IETF Logo Mail Archive

Re: [Ntp] Antw: [EXT] Microbursts of NTP packets

Steven Sommars <stevesommarsntp@gmail.com> Tue, 18 August 2020 12:56 UTC

Return-Path: <stevesommarsntp@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B5A53A09CE for <ntp@ietfa.amsl.com>; Tue, 18 Aug 2020 05:56:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Jy5gn7PapXc for <ntp@ietfa.amsl.com>; Tue, 18 Aug 2020 05:56:21 -0700 (PDT)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28CC33A09BD for <ntp@ietf.org>; Tue, 18 Aug 2020 05:56:21 -0700 (PDT)
Received: by mail-ua1-x936.google.com with SMTP id g20so5764259uap.8 for <ntp@ietf.org>; Tue, 18 Aug 2020 05:56:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aqW13gMLD5Y++izPxHpZcUrJghgOw/YrNxe6iOCl9+s=; b=PL15EfFklNRdsC/rJlr2evem13HjUU+x768mQz8vcwxiHanWf44R4xcgehOQ2TPsuI OCOT/GxbrU8C+TH5Z86WytiUXsptGIdO4OAYVBe6rvalcT47BxrzSsu8NoGFT9j1RbiC WvT1roSmXHnbgjMF3G8ANfRiKBVsBSv4ngM4EOtd0OdnPsoQNwjhlmfNJeiZhGsUbDdr nJH+8KTP065qAyJW5Hayb17H6vGmQyfIqAfsAnO2ro1MCtUiUHpfHBnJylzgBsxWrJmL IjtlwN+uQghArN3t+Iu6hHwSuMGTIrVOoA3i4AsJBdXv68Gigif4/JzcWP1CqJTX42mU 1XpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aqW13gMLD5Y++izPxHpZcUrJghgOw/YrNxe6iOCl9+s=; b=assjn+HDtOeyX3pGnh3H9pqJdDczdIQzcB+TR3WOc0x0bjecl/fd3AtXSV5VyUYoHl FF1rVImiTA1Kxlg+/WDQqKF78c6J2BURKI16nvhv6uxOEhiJylY4GrB62nyM62jZDp7V Ps1gye27JDMwxkH+PwqfuMeTvXoY6+pZ5yxh3JR7L2ghO2CvPu7dbSdhoJNSGT99CDT+ fPGjRYJmVm4Z+GruZRBq3opbQ7jK5HaGJegDfmiMB2bvEgZjY4CO0pPPwSVv43X7pxW3 BzMnX5sDPurf6Pki8Qm0dLqMsFJIj3YAfPeMJlQHyzLCCCme8QlXZHBszDoift2OKRns QSeQ==
X-Gm-Message-State: AOAM532b+q6z6rL9mNR0JMeSwe67p8Mm2Qe5r7Km6l1RL926SA6PkKRv 4rI5ENeEPGo4IUxfb5+LVsBjyquaWdWUO8b3VkQ=
X-Google-Smtp-Source: ABdhPJw3oI0skSTGUITmGSdQl4dm+phTv74EgN7tpeV5PXlqqU2YLwna6JKdraiU/0/wM6v8Sf3/xZuARO9jgtxRTZo=
X-Received: by 2002:a9f:368c:: with SMTP id p12mr10010522uap.135.1597755380207; Tue, 18 Aug 2020 05:56:20 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cm7PX-NzJBrA6RR_u=1c3PWjga8t+iccd3Am_VFsDWoKQ@mail.gmail.com> <5F3B83DF020000A10003AADF@gwsmtp.uni-regensburg.de>
In-Reply-To: <5F3B83DF020000A10003AADF@gwsmtp.uni-regensburg.de>
From: Steven Sommars <stevesommarsntp@gmail.com>
Date: Tue, 18 Aug 2020 07:56:09 -0500
Message-ID: <CAD4huA65kEgHqStqY=pObUHwsPxoMbBDXc6mFNTAASzGWNj4fA@mail.gmail.com>
To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
Cc: Watson Ladd <watsonbladd@gmail.com>, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e014e105ad266942"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1Z1UNXq5OHhLaUG62ylN3_0GShg>
Subject: Re: [Ntp] Antw: [EXT] Microbursts of NTP packets
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 12:56:31 -0000

Each of the 10-second bursts were NTP mode 3 (client) requests coming from
a single source address, almost always IPv4.
Over the course of time we saw 10-second bursts originating from hundreds
of clients.
These are client bugs, not DDoS attacks.  Source addresses are not
spoofed.

Note that the people who provide DDoS mitigation services say that NTP
reflection attacks are still an issue.

NTP server rate limiting, as Hal stated, will reduce the impact of buggy
clients or intentional attacks,
This is not a trivial topic.





On Tue, Aug 18, 2020 at 2:32 AM Ulrich Windl <
Ulrich.Windl@rz.uni-regensburg.de> wrote:

> >>> Watson Ladd <watsonbladd@gmail.com> schrieb am 18.08.2020 um 03:20 in
> Nachricht
> <CACsn0cm7PX-NzJBrA6RR_u=1c3PWjga8t+iccd3Am_VFsDWoKQ@mail.gmail.com>:
> > Dear NTP WG,
> >
> > We're observing short bursts of high numbers of NTP queries at one
> > point of presence, exceeding the queue length of the listening ntp
> > socket, and leading to drops. The bursts are very short, so the
> > overall qps is nothing special. I'm quite mystified as to what the
> > possible causes could be.
>
> I think an important questions is: From the same source or not?
> Also: Time queries, or control mode packets? If so it might be an attempt
> to attack...
>
> >
> > This is unfortunately leading to packet drops. If any operators have
> > seen this, their input on possible causes and solutions is welcome.
> >
> > Sincerely,
> > Watson Ladd
> >
> > _______________________________________________
> > ntp mailing list
> > ntp@ietf.org
> > https://www.ietf.org/mailman/listinfo/ntp
>
>
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>

v2.23.0 | Report a Bug | By Email