[ntp:questions] better rate limiting against amplification attacks?
martin.burnicki at meinberg.de
Thu Jan 16 15:18:19 UTC 2014
Miroslav Lichvar wrote:
> On Thu, Jan 16, 2014 at 02:28:32PM +0100, Martin Burnicki wrote:
>> Harlan Stenn wrote:
>>> pool 0.debian.pool.ntp.org iburst
>> I bet the "server" options for pool servers are in there because
>> this was used in earlier versions before the "pool" keyword was
>> introduced, and it still works.
>>> instead, and I'd have to look up when the 'pool' directive was put in
>> IIRC this is supported in 4.2.6, but has not been supported in
>> 4.2.4p8 and earlier. If the ntp.conf file shipped with a particular
>> OS has been initially created a long time ago and always been
>> updated for newer NTP versions then I'm not surprised to see this.
> IIRC the pool command in 4.2.6 uses quite a lot of servers, which
> probably is not an acceptable use of pool.ntp.org. I think it was
> improved later in 4.2.7. The page about recommended configuration
> doesn't mention it yet.
> Vendors should be careful with the pool command.
Personally I'm not using the pool command very often since in most cases
I have to deal with specific refclocks. I'm biased. ;-)
More information about the questions