[ntp:questions] better rate limiting against amplification attacks?

Garrett Wollman wollman at bimajority.org
Fri Dec 27 19:27:17 UTC 2013

In article <52BDBD18.9070405 at oracle.com>,
Brian Utterback  <brian.utterback at oracle.com> wrote:
>Not at all. I am asking the parameters of the attack. Is the current 
>software solution sufficient to stop such attacks? If so, then the 
>solution is for the servers to upgrade. Indeed, no solution we craft for 
>the current software development will help sites that do not upgrade.

The current software solution is sufficient to stop many attacks, but
requires significant protocol understanding in order to configure it
correctly, and may (the documentation is unclear) be too draconian a

For example, my servers are currently configured with
	restrict default nomodify nopeer noquery notrap limited

But I actually wouldn't mind allowing queries, provided they were
subject to a reasonable rate limit (say, no more than 1 per client per
five-second interval).

Without "noquery" and "limited", my servers were generating about 25
Mbit/s last week, but I don't know which of these options actually
made the difference.

Note that this does *not* completely stop the attack, but it mitigates
the effect that it has on an individual NTP server's host network.
Unfortunately, I had to completely block NTP crossing our border
(except for six authorized servers) as there are far too many NTP
servers on our network with a default configuration that I have no
direct administrative control over.  It would be better if ntpd
defaulted to a non-exploitable configuration.

Garrett A. Wollman    | What intellectual phenomenon can be older, or more oft
wollman at bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers.         | accepted by all practitioners? - S.J. Gould, 1993

More information about the questions mailing list