there are not only DDoS amplifier. I see many dumb queries with 0.3-2
second interval. Looks like sources located behind NAT, does not NAT'ed
correctly and does not recieve my answers. Or just it have "broken" ntp
client. Or DDoS reflection attack. It still exists by simple queries
with spoofed source ip. One of my clients sometimes gets such flood at
5-10Gbit/s.
Looks like MRU reduce reply rate to this queries by 20-25%. I typically
have 4kpps input and 3-3.2kpps output on server. Also MRU give me list
of the worst clients and I can list them for futher action. This is
useful for network and routers that have to process less "crap" pps. Not
to ntp service directly.
I will test current fixed sources and no-fuzz on the week.
--
Mike
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
