[ntp:questions] better rate limiting against amplification attacks?

Greg Troxel gdt at ir.bbn.com
Thu Jan 16 00:52:06 UTC 2014


Brian Utterback <brian.utterback at oracle.com> writes:

> On 1/15/2014 7:18 PM, Greg Troxel wrote:
>> [invalid William has been trimmed from the cc list]
>>
>> Harlan Stenn <stenn at ntp.org> writes:
>>
>>> William Unruh writes:
>>>> I do not mean the default in the config file, I mean the default if
>>>> there is no config file or if nothing is set in the config file.
>>> Then ntpd won't connect to anything and there will be no data to report.
>> This is a ridiculous strawman.   The ntp project is abdicating its
>> responsibility to provide sane default behavior by claiming that no
>> default behavior can make everyone happy and therefore it's not their
>> fault.  The notion that OS packagers somehow have a better idea of usage
>> is also specious.
>>
>> Really, ntpd should, when run with a config file of only
>>
>>    server 0.pool.ntp.org
>>    server 1.pool.ntp.org
>>    server 2.pool.ntp.org
>>
>> behave relatively sanely, including declining to respond to packets that
>> could be amplification attacks, while being usable as a s2/s3 to other
>> nearby nodes.  This notion of good behavior under minimal config seems
>> really obvious to me, yet there is a huge resistance to it, with the
>> notion that every end user should invest the time to be an expert.
>> And, as far as I can tell, seems to be as simple as 'restrict noquery'
>> as a compiled-in default before any restrict statements are given.  Yet
>> that does not happen.

> By default, the dev branch software doesn't respond to mode 7 packets
> and even if mode 7 packets are enabled it still doesn't respond to
> monlist requests. So, if it is as simple as you say, then you've got
> your wish already.

That's good to know - thanks for clarifying.  This has been unclear
since I keep hearing that no defaults are acceptable and that anyone
using ntpd needs to understand and configure it, as opposed to hearing
that there are sane defaults and it's not a big deal.



More information about the questions mailing list