[ntp:questions] Public ntp-server and reflection-attacks

Jure Sah dustwolfy at gmail.com
Thu Dec 26 10:45:46 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 23. 12. 2013 18:14, Rob wrote:
>> I would just like to understand this...
>> 
>> For noquery I understand, but for "nopeer"? The manual page
>> states:
>>> Deny packets that might mobilize an association unless 
>>> authenticated. This includes broadcast, symmetric-active and 
>>> manycast server packets when a configured association does not 
>>> exist. Note that this flag does not apply to packets that do
>>> not attempt to mobilize an association.
> 
> A peer is a two-way server-server link.  Not a client using your 
> server, but a server that syncs time with you and vice-versa.
> 
>> Doesn't this always happen when a new ntp server somewhere on
>> the internet chooses to use your NTP server as a peer?
> 
> You don't want that.  NTP servers that are peers should be only 
> added upon mutual agreement.  A normal client of the pool is only a
> client of your server, not a peer. (i.e. they sync time to you, but
> you don't get time sync from them)

So in other words, a lower-stratum NTP server which uses my NTP server
as it's source of accurate time, is a client and not a peer?

LP,
Jure



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlK8CNoACgkQB6mNZXe93qjdYACgtcb/1WOuMDQI6Q1DLXOWOZYj
HOsAnRoKMpZFYoY4Qa08sVPcfaVIg/IM
=7U+u
-----END PGP SIGNATURE-----



More information about the questions mailing list