[ntp:questions] better rate limiting against amplification attacks?
nomail at example.com
Wed Jan 15 17:22:10 UTC 2014
William Unruh <unruh at invalid.ca> wrote:
> On 2014-01-15, Steve Kostecke <kostecke at ntp.org> wrote:
>> On 2014-01-15, David Woolley wrote:
>>> On 27/12/13 10:24, Rob wrote:
>>>> There are more and more amplification attacks against ntp servers,
>>>> similar to those against open DNS resolvers. A small packet sent with
>>>> a spoofed source address (allowed by a lame ISP) results in a large
>>>> reply from ntpd, sent to the victim of the attack.
>>> CERT have just issued an alert about the monlist attack:
>>><https://www.us-cert.gov/ncas/alerts/TA14-013A> (TA14-013A: NTP
>>>Amplification Attacks Using CVE-2013-5211). The advice is upgrade or
>> Upgrade _or_ use noquery _or_ disable monitor
>> Information at http://support.ntp.org/security
> Why does nptd not disable external monitoring or command by default.
> That way if someone wants to allow it, they have to actively do so,
> presumably knowing what they are doing.
The default config shipped with ntpd, usually mostly provided by the
distributor, is often terrible. (remember the LOCAL clock?)
More information about the questions