Possible Upcoming NTP Reflection DDoS Attack


Hi everyone.

Recently I heard a possible plan from a group of blackhat crackers about utilizing vulnerable NTP servers from the Pool to launch a Reflection DDoS attack. Even if it’s not going to happen, or the attack is not feasible, I think it’s the right time for every NTP server operator to fix and upgrade vulnerable servers. Please notify every NTP operator you know and let them be aware of the (old) issue.

TLDR. upgrade NTP and use

restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery

@Ask, could we integrate misconfiguration detection into the monitoring system? For example show a warning message for servers with public query. This can dramatically raise awareness of the issue.



I had the system check for this for a while; but I suspect the feature broke. I suspect the NTP Pool servers are a tiny tiny part of the problem as they’re disproportionately likely to be well maintained / monitored etc (versus random server on the internet with ntpd exposed on the internet). :-/