Re: [Ntp] DDoS meets NTP

Daniel Franke <dfoxfranke@gmail.com> Mon, 19 April 2021 19:39 UTC

Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DCB3A4087 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 12:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQ6HKwr_yjY6 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 12:39:14 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C9F53A4085 for <ntp@ietf.org>; Mon, 19 Apr 2021 12:39:14 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id y62so77107pfg.4 for <ntp@ietf.org>; Mon, 19 Apr 2021 12:39:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HEBJZBgJ6mYSGEO9u2fv2RQnnZz3PU+72o53cjuORr0=; b=fqIHX7SLHQc/DpoGfnhfwt9ctcbaHZ6xnfYeSer7fUj6LzIw9vQzlzS7F6x1nrDj2b 60lZ37vqSSiJlD/cYIqTA54Kjf4LCSyr5d8j7OV790DbPAVdaIQOXjP+0VDqWP8R2WPC lqy+iD81QW6bUxtUzwlkjKK6lLiWFvT7b5Wn7GHCmng+AkOJbXi24UVWm8CkX+IgzigS 9IUV2FxcHztBdBJF5tF1/+X545/1VNdlS9AmGXjznmOPFf125e3+dUZODOh4m6isvohI daN/YRUCB9Lb3Dgcz1lGwS39MkUAQcKFMUrRUfKsfuKXn3uH0iaNPo+cPH+1C+G0Yxzp jhWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HEBJZBgJ6mYSGEO9u2fv2RQnnZz3PU+72o53cjuORr0=; b=aZcI6mhbmrFHcD7bX+RdSWyrR/2iSmPlN1lmO9ayLpFQv9rHC5xdkQUfNURtf4cqNI y1Q8DgtMk2kpSIAvPdqaACXa+045xZWvnXRZWoC9bNn3tgyX2k75hOd9Dajpl0uCJdyi L1PD9hUFWWIlAxJtxAx2q2b9rMbykZXBdOHIaZTGk3MQAXWjLTmQDQ/eh3fVzkm5n48U ZwujNP3eSKaGtNR/Qawo239+NbLMK2Ci4xslNS7x01xWkooMzRa67XxpL/Ag0E7KqVxI lcBPN5RLIF38RH9dw/2UwzdJtLvxocpgS3ILiQSpT+XSj92hDVdC5+vzXUcAqSfQYIhR bh/Q==
X-Gm-Message-State: AOAM5316pbhmRXktAlUO+Jntis/W1YRUCJFDP4+/LYhbbSG7uADDXhWZ rs9SaOnHUcLF1VtMxBwr5busJk1BYiG+n7CM2HxztUIDhkk=
X-Google-Smtp-Source: ABdhPJxP1ZsHhMRXjt1iVps7lGRthMUiICG+lSzM2BIsjKPSY3KEq04LKkpVr9J5Wr0heDeE2yYuN94ohP/tEebX9dU=
X-Received: by 2002:a63:1921:: with SMTP id z33mr13537077pgl.211.1618861153186; Mon, 19 Apr 2021 12:39:13 -0700 (PDT)
MIME-Version: 1.0
References: <dfoxfranke@gmail.com> <CAJm83bDzve+x7zxtp-g4+RmkbQ8_rBkainOXCim-q37W=7borg@mail.gmail.com> <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net>
In-Reply-To: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Mon, 19 Apr 2021 15:39:02 -0400
Message-ID: <CAJm83bAmsSDJ0hMPimXFxo2M+KzcfNpY2Kv5h541R4=Sv__+-Q@mail.gmail.com>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f9f71a05c0587bff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/L4Egrbl0l7-ioCFV8p-nZQZ3YTk>
Subject: Re: [Ntp] DDoS meets NTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 19:39:19 -0000

On Mon, Apr 19, 2021 at 3:12 PM Hal Murray <hmurray@megapathdsl.net> wrote:


> If I don't rate limit, then a bad guy can use my server as a reflector to
> DDoS
> any target.  Making my server run at full line rate just makes things
> worse
> for victims.
>

If your server is correctly configured, then you never amplify any traffic
so adversaries gain no benefit from doing this. They can hammer the
ultimate victim just as hard on their own as they can by using your server
as a reflector.