On 07/07/2014 04:10 PM, Danny Mayer wrote: > The experience with blocking has actually being negative and we have
seen traffic actually INCREASE after it is blocked because the client, not having received a response, tries more often. This has been observed in the wild.
This might be true for proper NTP clients, but I wonder if this is true for faked NTP requests from DDOSers. KOD fills no purpose for DDOSers, so massive attacks is best handled by dropping that traffic, and possibly push the dropping away from the node and subnet running the server. For more modest overload scenarios as miss-configured or otherwise error-ed NTP clients, I believe that what you describe is correct.
Let's not confuse these different scenarios, as they most probably have different solutions. My point was that DDOS amplification/relaying should be considered, as we need that solved, while KOD refinements is maybe nice but addresses another problem.
I don't think you will be able to handle the DDOS issues without doing blocking, and you want that blocking to move away from your server in order to reduce the impact of the service.
Cheers, Magnus _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
