2

With these reflection attacks, the source IP should be the IP of the vulnerable server. So shouldn't nodes which see abnormal amounts of NTP data be able to add the source to a blacklist and therefore mitigate the attack?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
chacham15
  • 123
  • 3

1 Answers1

3

I expect any decent DDoS protection service (Prolexic, CloudFlare, etc.) will do exactly what you suggest.

If you consider a basic web presence, where the site has limit bandwidth to the Internet, an on-site blacklist doesn't help. All that NTP traffic will saturate the link, so it doesn't matter that the on-site firewall immediately drops the traffic - it still interferes with legitimate users. This is why you need upstream filtering to mitigate a DDoS attack.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • right, but why limit it to DDos Protection services and not just arbitrary backbone nodes on the net? – chacham15 Feb 23 '14 at 08:04
  • 1
    @chacham15 - there is no such thing as a global blacklist. Perhaps there should be one, but as of 2014 no-one has worked out a way to do it. – paj28 Feb 23 '14 at 08:06