[ntp:questions] better rate limiting against amplification attacks?

Terje Mathisen terje.mathisen at tmsw.no
Sat Dec 28 10:31:22 UTC 2013

Steve Kostecke wrote:
> On 2013-12-27, detha <detha at foad.co.za> wrote:
>> A first step would be to have a default configuration where any
>> functionality that can be used for reflection attacks with more than a say
>> 2:1 ratio needs to be explicitly enabled, with warnings about this in the
>> sample config file(s).
> The NTP Reference Implementation has no default use case. So there is no
> "baked-in" sensible default configuration. Some view this as a feature.

With the current dev code it seems to me that, for the first time, it is 
possible to define a useful default configuration, maybe something like 

pool pool.ntp.org  # Self-optimising set of network servers
restrict source    # Allow the same servers to query us back
restrict default nopeer noquery limit

(The default restrict is open for discussion!)

- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

More information about the questions mailing list