[ntp:questions] better rate limiting against amplification attacks?

Martin Burnicki martin.burnicki at meinberg.de
Thu Jan 16 13:28:32 UTC 2014

Harlan Stenn wrote:
> Ralph Aichinger writes:
>> Debian seems to ship the following (minus comments and disabled stuff):
>> driftfile /var/lib/ntp/ntp.drift
>> server 0.debian.pool.ntp.org iburst
>> server 1.debian.pool.ntp.org iburst
>> server 2.debian.pool.ntp.org iburst
>> server 3.debian.pool.ntp.org iburst
>> restrict -4 default kod notrap nomodify nopeer noquery
>> restrict -6 default kod notrap nomodify nopeer noquery
>> restrict
>> restrict ::1
>> And that seems to work quite well in practice.
> Those 'kod' directives don't do anything, and I think it would be better
> if it was:
>   pool 0.debian.pool.ntp.org iburst

I bet the "server" options for pool servers are in there because this 
was used in earlier versions before the "pool" keyword was introduced, 
and it still works.

> instead, and I'd have to look up when the 'pool' directive was put in
> there.

IIRC this is supported in 4.2.6, but has not been supported in 4.2.4p8 
and earlier. If the ntp.conf file shipped with a particular OS has been 
initially created a long time ago and always been updated for newer NTP 
versions then I'm not surprised to see this.

I'm sure a single sample ntp.conf file shipped with the NTP tarball, 
which is checked/updated before an NTP release to reflect enhancements 
like the "pool" command would definitely help.

Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

More information about the questions mailing list