[ntp:questions] better rate limiting against amplification attacks?
Terje Mathisen
terje.mathisen at tmsw.no
Sat Dec 28 10:31:22 UTC 2013
Steve Kostecke wrote:
> On 2013-12-27, detha <detha at foad.co.za> wrote:
>
>> A first step would be to have a default configuration where any
>> functionality that can be used for reflection attacks with more than a say
>> 2:1 ratio needs to be explicitly enabled, with warnings about this in the
>> sample config file(s).
>
> The NTP Reference Implementation has no default use case. So there is no
> "baked-in" sensible default configuration. Some view this as a feature.
With the current dev code it seems to me that, for the first time, it is
possible to define a useful default configuration, maybe something like
this:
pool pool.ntp.org # Self-optimising set of network servers
restrict source # Allow the same servers to query us back
restrict default nopeer noquery limit
(The default restrict is open for discussion!)
Terje
--
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"
More information about the questions
mailing list