[ntp:questions] better rate limiting against amplification attacks?
unruh at invalid.ca
Wed Jan 15 20:17:04 UTC 2014
On 2014-01-15, Rob <nomail at example.com> wrote:
> William Unruh <unruh at invalid.ca> wrote:
>> On 2014-01-15, Steve Kostecke <kostecke at ntp.org> wrote:
>>> On 2014-01-15, David Woolley wrote:
>>>> On 27/12/13 10:24, Rob wrote:
>>>>> There are more and more amplification attacks against ntp servers,
>>>>> similar to those against open DNS resolvers. A small packet sent with
>>>>> a spoofed source address (allowed by a lame ISP) results in a large
>>>>> reply from ntpd, sent to the victim of the attack.
>>>> CERT have just issued an alert about the monlist attack:
>>>><https://www.us-cert.gov/ncas/alerts/TA14-013A> (TA14-013A: NTP
>>>>Amplification Attacks Using CVE-2013-5211). The advice is upgrade or
>>> Upgrade _or_ use noquery _or_ disable monitor
>>> Information at http://support.ntp.org/security
>> Why does nptd not disable external monitoring or command by default.
>> That way if someone wants to allow it, they have to actively do so,
>> presumably knowing what they are doing.
> The default config shipped with ntpd, usually mostly provided by the
> distributor, is often terrible. (remember the LOCAL clock?)
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
I agree that distros could well put in something to undo that and that
they often do really stupid things (mainly because they do not
More information about the questions