On Apr 7, 2006, at 6:02 PM, Mark Boolootian wrote:
Its just NTP, I can't imagine that it is *really* enough traffic to care all that much.
You're kidding, right? Do you know what happened to wisc.edu:
Correct me if I'm wrong, but... That was only "really" a problem for them because there was a flaw in the Netgear code that caused the devices to make requests every second. That's not (as far as I'm aware) happening here, so we're not talking huge amounts of bandwidth. We intentionally run public NTP servers, which are even in the pool.ntp.org pool, as well as on some NTP lists. I've pegged about 35,000 unique IPs using our North America server in the last 24 hours, or about 175pps. Bandwidth usage is about 100Kbps per second on average. The occasional burst up to 250Kbps+, but those are pretty rare. This link here: http://www.lightbluetouchpaper.org/2006/04/07/when- firmware-attacks-ddos-by-d-link/ says he's getting 37pps. NTP uses 76 byte packets. 37pps * 76 byte packets = 22.4Kbps, or less than the amount of traffic a dialup user can spew. If you're running a semi- public server on the internet, and it can't handle a dialup user flooding it - you need a firewall anyway. :) I can see how unwanted NTP traffic could be a nuisance, but not how it could possibly cost US$8,800 per year. Nor requiring the use of a US$5000 "external consultant" to track down the source of the traffic. Nor worthy of invoking the Slashdot masses in outrage. Let alone why an additional traffic load of less than a dialup user accessing your server in any way is worthy of caring. Bad on D-Link for what they've done, but total overreaction on the other side as well. I think the lesson here is that any service you make available to the public (NTP, DNS, IRC, SMTP, whatever) is going to be used in ways that do not match with your desires. If you're not willing to ACL/ police the service, you're going to have to accept that people are going to use it in ways you'd rather they didn't.