[ntp:questions] better rate limiting against amplification attacks?

Brian Utterback brian.utterback at oracle.com
Thu Jan 16 22:17:20 UTC 2014


On 1/16/2014 3:45 PM, Steve Kostecke wrote:
> On 2014-01-16, Greg Troxel <gdt at ir.bbn.com> wrote:
>
>> Harlan Stenn <stenn at ntp.org> writes:
>>
> The majority use case for ntpd is to synchronize your clock to UTC (i.e.
> a leaf-node client). So an ntpd ought to have the following defaults:
>
> driftfile /path/to/ntp.drift
> pool pool.ntp.org iburst
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
>
> This would enable the majority use case without the need for a
> configuration file.
>

I just tried that with 4.2.7p381 and it failed to get any servers. I added:

restrict source

and it still failed. I commented out the first two restrict lines and 
then it worked.

Brian Utterback


More information about the questions mailing list