Steven Sommars said:
The secure time transfer of NTS was designed to avoid amplification attacks.
I work on NTP software (ntpsec). I have a couple of low cost cloud servers in the pool where I can test things and collect data. I see bursts of 10K to several million packets "from" the same IP Address at 1K to 10K packets per second. Ballpark of 100 events per day, depending on the size cutoff. I saw one that lasted for most of a day at 1K packeets/sec. All the packets I've seen have been vanilla NTP requests - no attempt at amplification. I'm only checking a very small fraction of the garbage. I haven't seen any pattern in the target IP Address. Reverse DNS names that look like servers are rare. I see legitimate NTP requests from some of the targets. Would data be useful? If so, who, what, ... (poke me off list) I don't see any good solution that a NTP server can implement. If I block them all, the victim can't get time. If I let some fraction through, that just reduces the size of the DDoS. I don't see a fraction that lets enough through so the victim is likely to get a response to a legitimate request without also getting a big chunk of garbage. I'm currently using a fraction of 0. If the victim is using several servers, one server getting knocked out shouldn't be a big deal. (The pool mode of ntpd should drop that system and use DNS to get another.) If NTS is used, it would be possible to include the clients IP Address in the cookie and only respond to requests with cookies that were issued to the client. That has privacy/tracking complications. ---------- I don't want to start a flame war, but why isn't BCP 38 widely deployed? Can somebody give me a pointer to a talk at NANOG or such? What fraction of the world does implement BCP 38? I'd also be interested in general background info on DDoS. Who is DDoS-ing whom and/or why? Is this gamers trying to get an advantage on a competitor? Bad guys making a test run to see if the server can be used for a real run? Is DDoS software widely available on the dark web? ... -- These are my opinions. I hate spam.