[ntp:questions] better rate limiting against amplification attacks?

Greg Troxel gdt at ir.bbn.com
Sat Dec 28 15:01:08 UTC 2013

Steve Kostecke <kostecke at ntp.org> writes:

> On 2013-12-27, detha <detha at foad.co.za> wrote:
>> A first step would be to have a default configuration where any
>> functionality that can be used for reflection attacks with more than a say
>> 2:1 ratio needs to be explicitly enabled, with warnings about this in the
>> sample config file(s).
> The NTP Reference Implementation has no default use case. So there is no
> "baked-in" sensible default configuration. Some view this as a feature.

I think that's a bug.  There are in my view two default cases:

  setting up the local machine to synchronize from organization/local s3
  or so servers.

  setting up a few machines to be the above s3ish servers

In both cases, there is no need to allow monlist-or-equivalent from
other than localhost, and no real harm in answering time queries.

The other significant use case is running a s1, but a) those people are
expected to be more clueful and b) the above rules don't hurt that case
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <http://lists.ntp.org/pipermail/questions/attachments/20131228/dadd2d4e/attachment.sig>

More information about the questions mailing list