[ntp:questions] better rate limiting against amplification attacks?

Brian Utterback brian.utterback at oracle.com
Sat Dec 28 01:42:07 UTC 2013


On 12/27/2013 5:50 PM, Jochen Bern wrote:
> On 27 Dec 2013, Brian Utterback wrote:
>> Is a peer list really a big problem? It generally doesn't make sense to
>> have much beyond 10 peers. Are there really a lot of servers with a lot
>> of peers?
> If you mean to ask whether such a setup exists at all, here's a real
> world example:
>
>> # ntpdc -n -c monlist | wc -l
>> 602
> We ship appliances to SMBs whose factory-default setup points them to
> this NTP server (i.e., no filtering by client IP). The local admin's
> supposed to change the config to local NTP, SMTP, etc. etc. servers, but
> not all of them do, to put it mildly. :-{
>
> Typical? Certainly not. *Lots* of such servers? Hmmm, let's say
> "possibly enough" (to still allow such attacks to happen unless they can
> be prevented by careful configuration).
>
> (FWIW, in the meantime, I added "nopeer", which I had initially left out
> in favor of several "setvar ... default"s.)
>
> Regards,
> 								J. Bern
>

But monlist doesn't work with the latest software. It was replaced by 
mrulist which requires a handshake at the beginning, so the request 
address can't be spoofed. That's what I meant by having to upgrade no 
matter what we do.

Brian Utterback


More information about the questions mailing list