[nacs]

Would it be possible for the NTP server to detect what type of device/OS is sending the request and block it (ie: could au/nz.pool.ntp.org servers block all TP-Link requests to teach them a lesson)?

If they can't do that maybe they can just detect IPs that are making requests every 5 seconds as the TP-Link products are doing and block those since they're in violation of the once-every-10-minutes-maximum rule for the NTP servers)?

[mattstreet]

I'm a bit rusty, but I believe the way NTP works (at least the reference version which is commonly used) is that if a client sends too many requests in a short time, they are ignored except to reply with a "back off packet" which is called the KoD (Kiss of death) in NTP terms.

Security audits have found some issues with abusing the KoD so I'm not sure if it still works like that or if it tends to be disabled. (I was on one of the teams doing the audit, I found the "Skeleton Key" defect)

https://www.eecis.udel.edu/~mills/ntp/html/rate.html#kiss

If you wanted to help the server deal with DoS even better, I would guess the best solution is to put a rate limiting firewall in front of it.

[samstave]

Out-of-the-loop: what products are using TP-Link?

Aside: maybe there should be a governing body for comm protocol behavior? (Semi sarcastic)

[ganoushoreilly]

TP-link is a manufacturer of multiple devices and an OEM for others. I would imagine, if consistent across firmwares, there are a lot of requests being made. https://en.wikipedia.org/wiki/TP-Link