[ntp:questions] better rate limiting against amplification attacks?

Rob nomail at example.com
Thu Jan 16 13:49:43 UTC 2014


Martin Burnicki <martin.burnicki at meinberg.de> wrote:
> I bet the "server" options for pool servers are in there because this 
> was used in earlier versions before the "pool" keyword was introduced, 
> and it still works.
>
>> instead, and I'd have to look up when the 'pool' directive was put in
>> there.
>
> IIRC this is supported in 4.2.6, but has not been supported in 4.2.4p8 
> and earlier. If the ntp.conf file shipped with a particular OS has been 
> initially created a long time ago and always been updated for newer NTP 
> versions then I'm not surprised to see this.

Sure.  When the ntp.conf would have been included in the ntpd distribution
and would only have required small patches like including the distributor
name in the config lines for pool servers, the distributor would have
archived those as a local patch and any changes/updates in the ntp.conf
would appear in the packaged versions as well.

It is only because all the work of creating an ntp.conf has been placed
on the distributor that those distributors do not update it for every
change or feature in the program.  They don't have the resources to track
all changes in all packages they distribute.

> I'm sure a single sample ntp.conf file shipped with the NTP tarball, 
> which is checked/updated before an NTP release to reflect enhancements 
> like the "pool" command would definitely help.

Indeed.



More information about the questions mailing list