[ntp:questions] better rate limiting against amplification attacks?
gdt at ir.bbn.com
Sat Dec 28 15:01:08 UTC 2013
Steve Kostecke <kostecke at ntp.org> writes:
> On 2013-12-27, detha <detha at foad.co.za> wrote:
>> A first step would be to have a default configuration where any
>> functionality that can be used for reflection attacks with more than a say
>> 2:1 ratio needs to be explicitly enabled, with warnings about this in the
>> sample config file(s).
> The NTP Reference Implementation has no default use case. So there is no
> "baked-in" sensible default configuration. Some view this as a feature.
I think that's a bug. There are in my view two default cases:
setting up the local machine to synchronize from organization/local s3
or so servers.
setting up a few machines to be the above s3ish servers
In both cases, there is no need to allow monlist-or-equivalent from
other than localhost, and no real harm in answering time queries.
The other significant use case is running a s1, but a) those people are
expected to be more clueful and b) the above rules don't hurt that case
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 180 bytes
Desc: not available
More information about the questions