Fuzz, Numbers

Mike Yurlov ntp at kaluga.net
Mon Jan 6 08:56:13 UTC 2020

there are not only DDoS amplifier. I see many dumb queries with 0.3-2 
second interval. Looks like sources located behind NAT, does not NAT'ed 
correctly and does not recieve my answers. Or just it have "broken" ntp 
client. Or DDoS reflection attack. It still exists by simple queries 
with spoofed source ip. One of my clients sometimes gets such flood at 

Looks like MRU reduce reply rate to this queries by 20-25%. I typically 
have 4kpps input and 3-3.2kpps output on server. Also MRU give me list 
of the worst clients and I can list them for futher action. This is 
useful for network and routers that have to process less "crap" pps. Not 
to ntp service directly.

I will test current fixed sources and no-fuzz on the week.


More information about the devel mailing list