[ntp:questions] better rate limiting against amplification attacks?

Steve Kostecke kostecke at ntp.org
Thu Jan 16 20:45:32 UTC 2014

On 2014-01-16, Greg Troxel <gdt at ir.bbn.com> wrote:

> Harlan Stenn <stenn at ntp.org> writes:
>> William Unruh writes:
>>> I do not mean the default in the config file, I mean the default if
>>> there is no config file or if nothing is set in the config file.
>> Then ntpd won't connect to anything and there will be no data to report.
> This is a ridiculous strawman.   The ntp project is abdicating its
> responsibility to provide sane default behavior by claiming that no
> default behavior can make everyone happy and therefore it's not their
> fault.  The notion that OS packagers somehow have a better idea of usage
> is also specious.
> Really, ntpd should, when run with a config file of only
>   server 0.pool.ntp.org
>   server 1.pool.ntp.org
>   server 2.pool.ntp.org
> behave relatively sanely, including declining to respond to packets that
> could be amplification attacks,

The majority use case for ntpd is to synchronize your clock to UTC (i.e.
a leaf-node client). So an ntpd ought to have the following defaults:

driftfile /path/to/ntp.drift
pool pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict ::1

This would enable the majority use case without the need for a
configuration file.

> while being usable as a s2/s3 to other nearby nodes.

Operation as a LAN time server is probably a secondary use case. But the
defaults listed above would also enable that usage.

> This notion of good behavior under minimal config seems
> really obvious to me, yet there is a huge resistance to it, with the
> notion that every end user should invest the time to be an expert.


Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list