[ntp:questions] better rate limiting against amplification attacks?

William Unruh unruh at invalid.ca
Wed Jan 15 17:16:44 UTC 2014

On 2014-01-15, Steve Kostecke <kostecke at ntp.org> wrote:
> On 2014-01-15, David Woolley wrote:
>> On 27/12/13 10:24, Rob wrote:
>>> There are more and more amplification attacks against ntp servers,
>>> similar to those against open DNS resolvers. A small packet sent with
>>> a spoofed source address (allowed by a lame ISP) results in a large
>>> reply from ntpd, sent to the victim of the attack.
>> CERT have just issued an alert about the monlist attack:
>><https://www.us-cert.gov/ncas/alerts/TA14-013A> (TA14-013A: NTP
>>Amplification Attacks Using CVE-2013-5211). The advice is upgrade or
>>use restrict.
> Upgrade _or_ use noquery _or_ disable monitor
> Information at http://support.ntp.org/security

Why does nptd not disable external monitoring or command by default.
That way if someone wants to allow it, they have to actively do so,
presumably knowing what they are doing. 


More information about the questions mailing list