[ntp:questions] better rate limiting against amplification attacks?

Martin Burnicki martin.burnicki at meinberg.de
Thu Jan 16 15:18:19 UTC 2014


Miroslav Lichvar wrote:
> On Thu, Jan 16, 2014 at 02:28:32PM +0100, Martin Burnicki wrote:
>> Harlan Stenn wrote:
>>>   pool 0.debian.pool.ntp.org iburst
>>
>> I bet the "server" options for pool servers are in there because
>> this was used in earlier versions before the "pool" keyword was
>> introduced, and it still works.
>>
>>> instead, and I'd have to look up when the 'pool' directive was put in
>>> there.
>>
>> IIRC this is supported in 4.2.6, but has not been supported in
>> 4.2.4p8 and earlier. If the ntp.conf file shipped with a particular
>> OS has been initially created a long time ago and always been
>> updated for newer NTP versions then I'm not surprised to see this.
>
> IIRC the pool command in 4.2.6 uses quite a lot of servers, which
> probably is not an acceptable use of pool.ntp.org. I think it was
> improved later in 4.2.7. The page about recommended configuration
> doesn't mention it yet.
>
> http://www.pool.ntp.org/en/use.html
>
> Vendors should be careful with the pool command.

Indeed.

Personally I'm not using the pool command very often since in most cases 
I have to deal with specific refclocks. I'm biased. ;-)

Martin
-- 
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany



More information about the questions mailing list