[ntp:questions] better rate limiting against amplification attacks?

Rob nomail at example.com
Fri Dec 27 10:24:23 UTC 2013

What is the NTP developers position on implementation of better
rate limiting options in ntpd?

There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers.  A small packet sent
with a spoofed source address (allowed by a lame ISP) results in
a large reply from ntpd, sent to the victim of the attack.

Possible candidates are of course the commands to retrieve the list
of clients (similar to "ntpdc -c monlist") and and the list of
associated servers ("ntpq -p").

The options to limit the replies to those responses are not very
detailed.  One can deny all queries, but that is about it.

It would be useful to have configurable rate limiting like on the normal
time queries, and preferably configurable as global.  So the rate of
all queries should be limited, not per source IP address.  And it would
be good if queries can be denied individually, so that the peer servers
query can still be issued but the monlist query cannot.

Of course all of this can be done in a good firewall, but it usually
requires lots of knowledge about the protocol details.  It would be
nice if ntpd could filter this at application level.

Is this being considered?

More information about the questions mailing list