[ntp:questions] better rate limiting against amplification attacks?

Steve Kostecke kostecke at ntp.org
Wed Jan 15 17:42:39 UTC 2014

On 2014-01-15, Rob <nomail at example.com> wrote:

> William Unruh <unruh at invalid.ca> wrote:
>> On 2014-01-15, Steve Kostecke <kostecke at ntp.org> wrote:
>>> On 2014-01-15, David Woolley wrote:
>>>> CERT have just issued an alert about the monlist attack:
>>>><https://www.us-cert.gov/ncas/alerts/TA14-013A> (TA14-013A: NTP
>>>>Amplification Attacks Using CVE-2013-5211). The advice is upgrade or
>>>>use restrict.
>>> Upgrade _or_ use noquery _or_ disable monitor
>>> Information at http://support.ntp.org/security
>> Why does nptd not disable external monitoring or command by default.
>> That way if someone wants to allow it, they have to actively do so,
>> presumably knowing what they are doing.
> The default config shipped with ntpd, usually mostly provided by the
> distributor, is often terrible. (remember the LOCAL clock?)

The root problem is the fact that certain functionality is globally
enabled by default in the daemon.

Prudence dictates that features which may be deemed as unsuitable for   
uncontrolled, or global, use ought to be disabled by default.

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list