[ntp:questions] Public ntp-server and reflection-attacks

Rob nomail at example.com
Thu Dec 26 10:54:34 UTC 2013

Jure Sah <dustwolfy at gmail.com> wrote:
> On 23. 12. 2013 18:14, Rob wrote:
>>> I would just like to understand this...
>>> For noquery I understand, but for "nopeer"? The manual page
>>> states:
>>>> Deny packets that might mobilize an association unless 
>>>> authenticated. This includes broadcast, symmetric-active and 
>>>> manycast server packets when a configured association does not 
>>>> exist. Note that this flag does not apply to packets that do
>>>> not attempt to mobilize an association.
>> A peer is a two-way server-server link.  Not a client using your 
>> server, but a server that syncs time with you and vice-versa.
>>> Doesn't this always happen when a new ntp server somewhere on
>>> the internet chooses to use your NTP server as a peer?
>> You don't want that.  NTP servers that are peers should be only 
>> added upon mutual agreement.  A normal client of the pool is only a
>> client of your server, not a peer. (i.e. they sync time to you, but
>> you don't get time sync from them)
> So in other words, a lower-stratum NTP server which uses my NTP server
> as it's source of accurate time, is a client and not a peer?
> LP,
> Jure

It is a higher-stratum server.  But indeed it is only a client, not
a peer.  When using ntpd, a "server" line in the config specifies
you as a server and the system where that config is used is a client.
This is allowed even when "nopeer" is configured in your ntpd.

A "peer" line (instead of server) can be used to setup a bidirectional
sync to another server that should have a corresponding "peer" line
in its ntp.conf as well.  This is called "symmetric-active".
For this to work, a restrict line for that address without "nopeer"
is required.  Instead, you can just use "server" at each end and both
systems will be client of the other system.  In my experience, this
usually works better anyway.

More information about the questions mailing list