[ntp:questions] Public ntp-server and reflection-attacks

Steve Kostecke kostecke at ntp.org
Mon Dec 23 19:22:23 UTC 2013


On 2013-12-23, Jure Sah <dustwolfy at gmail.com> wrote:

> On 23. 12. 2013 15:13, Rob wrote:
>
> For noquery I understand, but for "nopeer"? The manual page states:
>
>> Deny packets that might mobilize an association unless authenticated.
>> This includes broadcast, symmetric-active and manycast server
>> packets when a configured association does not exist. Note that this
>> flag does not apply to packets that do not attempt to mobilize an
>> association.
>
> Doesn't this always happen when a new ntp server somewhere on the
> internet chooses to use your NTP server as a peer?

The word "peer" has multiple meanings in NTP.

We colloquially refer to a remote ntpd which is used as a time source as
a "peer". Witness the 'ntpq -p' peer billboard.

The "peer" configuration directive can be used in ntp.conf to establish
a bidirectional association between two ntpds (i.e. an assocation where
both nodes poll the other node for the time). 'nopeer' blocks these
associations.

By way of comparision ... The "server" configuration directive is used
to establish a unidirectional association between two ntpds (i.e. only
one node polls the other node). These associations are not blocked by
'nopeer'.

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/



More information about the questions mailing list