Hi all, for a project I was working on spoofing Kiss-Of-Death (KOD) to various clients including NTPD-RS, NTPSec, etc.

Background:

According to the NTPv4 RFC, if the client receives a KOD responses from a server, it should immediately increase the polling interval (time between consecutive requests to the same server). It includes the correct timestamps but the ref_id field is set to RATE, called kiss codes. For many reasons, all clients should ignore KOD packets with any kiss codes.

In the RFC there another kiss code called DENY which means the server will not be serving that client anymore and should not sending requests.

Bug:

When NTPD-RS gets a RATE packet, it simply ignores it. But if it gets a DENY as a response, it immediately resends the request. If the server again replies with a DENY packet, the client again resends and this goes on in a loop. This consumes significant resources of the server and the network as instead of 1-2 packets, it's sending 100s in a few seconds.

This behavior stops if the server stops sending the DENY responses and after 15 minutes, the client starts operating normally.

Fix:

NTPD-RS should ignore all KOD packets with any kiss codes.