Re: [Ntp] DDoS meets NTP

Hal Murray <hmurray@megapathdsl.net> Mon, 19 April 2021 19:12 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952B43A3FB0 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 12:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.609
X-Spam-Level: ***
X-Spam-Status: No, score=3.609 tagged_above=-999 required=5 tests=[HELO_DYNAMIC_IPADDR=3.243, RCVD_IN_DNSWL_BLOCKED=0.001, RDNS_DYNAMIC=0.363, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DWQODuBFy56 for <ntp@ietfa.amsl.com>; Mon, 19 Apr 2021 12:12:33 -0700 (PDT)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE143A3FAA for <ntp@ietf.org>; Mon, 19 Apr 2021 12:12:31 -0700 (PDT)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 5AD8740605C; Mon, 19 Apr 2021 12:12:26 -0700 (PDT)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: Daniel Franke <dfoxfranke@gmail.com>
cc: Hal Murray <hmurray@megapathdsl.net>, NTP WG <ntp@ietf.org>
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from Daniel Franke <dfoxfranke@gmail.com> of "Mon, 19 Apr 2021 14:04:41 EDT." <CAJm83bDzve+x7zxtp-g4+RmkbQ8_rBkainOXCim-q37W=7borg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 19 Apr 2021 12:12:26 -0700
Message-Id: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/UUm5coAJ86b_QONbZ9E3gvhipxg>
Subject: Re: [Ntp] DDoS meets NTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 19:12:38 -0000

dfoxfranke@gmail.com said:
> No. A client will treat a server as unreachable after 8 dropped replies, so
> an attacker can DoS a client by sending spoofed packets at the rate limit
> plus eight times the client's burst interval, which at conventional rate
> limits is an absolutely trivial amount of traffic. Trying to rate-limit NTP
> is just absolutely counterproductive no matter how you approach it. The way
> to make NTP DDoS-resilient is to spec your server with enough CPU to keep up
> with requests coming in at the full capacity of your network link. Do this,
> and attackers will achieve no more by hammering you with NTP requests than by
> hammering you with random garbage. 

If I don't rate limit, then a bad guy can use my server as a reflector to DDoS 
any target.  Making my server run at full line rate just makes things worse 
for victims.


-- 
These are my opinions.  I hate spam.