[ntp:questions] better rate limiting against amplification attacks?

[Harlan Stenn]

Garrett Wollman writes:
> In article <52BDBD18.9070405 at oracle.com>,
> Brian Utterback  <brian.utterback at oracle.com> wrote:
> >Not at all. I am asking the parameters of the attack. Is the current 
> >software solution sufficient to stop such attacks? If so, then the 
> >solution is for the servers to upgrade. Indeed, no solution we craft for 
> >the current software development will help sites that do not upgrade.
> 
> The current software solution is sufficient to stop many attacks, but
> requires significant protocol understanding in order to configure it
> correctly, and may (the documentation is unclear) be too draconian a
> solution.
> 
> For example, my servers are currently configured with
> 	restrict default nomodify nopeer noquery notrap limited
> 
> But I actually wouldn't mind allowing queries, provided they were
> subject to a reasonable rate limit (say, no more than 1 per client per
> five-second interval).
> 
> Without "noquery" and "limited", my servers were generating about 25
> Mbit/s last week, but I don't know which of these options actually
> made the difference.

I"d bet noquery.

> Note that this does *not* completely stop the attack, but it mitigates
> the effect that it has on an individual NTP server's host network.

What packets remain?

> Unfortunately, I had to completely block NTP crossing our border
> (except for six authorized servers) as there are far too many NTP
> servers on our network with a default configuration that I have no
> direct administrative control over.  It would be better if ntpd
> defaulted to a non-exploitable configuration.

I'll do what I can on this.  It will require cooperation and
collaboration with various OS folks.

H