[ntp:hackers] i think it's time to review ntp's default acl's

Poul-Henning Kamp phk at phk.freebsd.dk
Thu Mar 23 17:20:27 UTC 2006


In message <20060323171035.B085A11426 at sa.vix.com>, Paul Vixie writes:


>can someone who knows NTP say whether a normal response is larger than a
>normal query, and whether an error response is larger than a normal query,
>and whether there is any response at all to a malformed query?

Normal NTP packets (noncrypto):
	All packets are the same size: 48 bytes.
	A server will answer all queries with exactly one packet.

	This leaves room for reflection, but not amplification.

Crypto NTP packets:
	Packets are larger than 48 bytes.
	A server will answer queries with up to one packet.

	This leaves room for reflection, but not amplification.

Control packets:
	Controlpackets have larger replies than queries and in
	some cases also multiple reponse packets for one query
	packet.

	This leaves room for reflection and amplification.

	Controlpackets should be default limited to localhost IMO.
	Not sure what the exact limitations are right now.

>can someone who runs this software in production comment on the advisability
>of rate-limiting error-responses (if there are any), simulating "line loss"?

There are no error responses, packets with errors are dropped silently.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.


More information about the hackers mailing list