You are blocking legit requests, but mitigating the impact of the attack likely outweighs the lost of legit NTP traffic (for a little while). If it becomes chronic and you have deep pockets, there's always Prolexic who can save you for a pretty penny.
On Thu, Feb 13, 2014 at 6:18 PM, Nyamul Hassan <[email protected]> wrote: > Hi, > > Our public NTP servers have started receiving an inordinate amount of NTP > requests. In order to mitigate the problem, we find that a lot of these > queries are originating from or being sent to ports other than 123. > > From the documentation, and all literature that I can find on the internet, > it seems any remote client who needs to talk to our NTP servers on UDP 123, > must also originate the request from UDP 123. Considering this, we have > firewalled any traffic for/from UDP 123 on our servers that does not > start/end in UDP 123 on the remote machines. > > Could someone confirm if this is correct? Or are we blocking legitimate > reqeusts as well? > > Regards > HASSAN > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
