[ntp:questions] better rate limiting against amplification attacks?

Harlan Stenn stenn at ntp.org
Fri Dec 27 20:39:21 UTC 2013


detha writes:

> A first step would be to have a default configuration where any
> functionality that can be used for reflection attacks with more than a
> say 2:1 ratio needs to be explicitly enabled, with warnings about this
> in the sample config file(s).
> 
> Better would be a per-IP-address request or rate limit. I realize that
> on a busy server this involves a huge chunk of memory to keep track of
> recent requests, but (apart from redesigning the protocol, or plainly
> not allowing anything but standard client traffic) it seems to be the
> only way to mitigate the use of NTP in reflection attacks. Given
> enough servers, an attacker could still mount an attack by staying
> just under the limit for each server, but (especially if that limit
> could be different for each server) it makes the attacker's task a lot
> harder.
> 
> If the limit should be 'no more than n requests per source IP per
> minute', or 'not more than x kB/sec traffic to an IP' is another
> question. I'd say the latter - there are valid cases with multiple
> clients behind a single NATed IP, and a tight request limit could
> interfere with those.

Patches are greatly appreciated.

Financial support to pay folks to work on things volunteers aren't
available to do is greatly appreciated.

-- 
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!


More information about the questions mailing list