[ntp:questions] better rate limiting against amplification attacks?
martin.burnicki at meinberg.de
Thu Jan 16 13:28:32 UTC 2014
Harlan Stenn wrote:
> Ralph Aichinger writes:
>> Debian seems to ship the following (minus comments and disabled stuff):
>> driftfile /var/lib/ntp/ntp.drift
>> server 0.debian.pool.ntp.org iburst
>> server 1.debian.pool.ntp.org iburst
>> server 2.debian.pool.ntp.org iburst
>> server 3.debian.pool.ntp.org iburst
>> restrict -4 default kod notrap nomodify nopeer noquery
>> restrict -6 default kod notrap nomodify nopeer noquery
>> restrict 127.0.0.1
>> restrict ::1
>> And that seems to work quite well in practice.
> Those 'kod' directives don't do anything, and I think it would be better
> if it was:
> pool 0.debian.pool.ntp.org iburst
I bet the "server" options for pool servers are in there because this
was used in earlier versions before the "pool" keyword was introduced,
and it still works.
> instead, and I'd have to look up when the 'pool' directive was put in
IIRC this is supported in 4.2.6, but has not been supported in 4.2.4p8
and earlier. If the ntp.conf file shipped with a particular OS has been
initially created a long time ago and always been updated for newer NTP
versions then I'm not surprised to see this.
I'm sure a single sample ntp.conf file shipped with the NTP tarball,
which is checked/updated before an NTP release to reflect enhancements
like the "pool" command would definitely help.
More information about the questions