[ntp:questions] Public ntp-server and reflection-attacks

Steve Kostecke kostecke at ntp.org
Thu Nov 21 21:09:02 UTC 2013

On 2013-11-21, Michael Sinatra <michael at rancid.berkeley.edu> wrote:

> There are several ways, but having a basic 'restrict' statement in
> your config like this will help mitigate [reflection attacks]:
> restrict default noquery nomodify notrap nopeer
> restrict -6 default noquery nomodify notrap nopeer
> I believe the key command is 'noquery' which means that the server
> can't be queried for information (it does NOT affect the server's
> ability to respond to time requests).

The access control directives mentioned above are documented at
http://doc.ntp.org/4.2.6p5/accopt.html (stable release) and at
http://www.eecis.udel.edu/~mills/ntp/html/accopt.html (development


> (I am also interested in how others are locking down public NTP
> servers.)

You want to take a look at the Support.AccessRestrictions topic in our
community supported documentation. It is at

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list