[ntp:questions] better rate limiting against amplification attacks?

Harlan Stenn stenn at ntp.org
Thu Jan 9 04:24:32 UTC 2014

William Unruh writes:
> On 2014-01-09, A C <agcarver+ntp at acarver.net> wrote:
> > http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game
> -sites-abused-webs-time-synch-protocol/
> >
> > Here's a live amplification attack at work.
> ....
> >> 
> >> As I wrote in another post I believe the time is ripe for a sensible
> >> default builtin configuration, which can then be overridden with ntp.conf.
> >> 
> >> You suggestion in your previous message is very similar to what I
> >> wanted, i.e. the default is to have a pure client using the pool.
> >> 
> >> As soon as you start writing detailed ntp.conf options I want you to
> >> have the ability to shoot yourself in the foot, if that is your wish.
> But this sounds like it is shooting someone else in the foot. That is
> more serious. Ie, the default is that you should have to work quite hard
> to enable the system to run these amplification attacks (I assume that
> this is using the control system to send control/info packets, rather
> than ntp time protocol packets)

I'm not seeing any new information here.

For DECADES people did not take malicious advantage of things like this.
Now some folks are.

The root problem is not an issue for ntp-4.2.7, and there is a simple
solution for earlier versions.

How about we limit discussion on this thread to actual new information?


More information about the questions mailing list