[ntp:questions] better rate limiting against amplification attacks?

Steve Kostecke kostecke at ntp.org
Thu Jan 16 22:41:14 UTC 2014

On 2014-01-16, David Lord <snews at lordynet.org> wrote:

> Steve Kostecke wrote:
> [---=| Quote block shrinked by t-prot: 25 lines snipped |=---]

[snip: sample defaults]

> I have "restrict -4 limited kod nomodify notrap nopeer noquery"
> I've not checked most recent docs but thought "limited" was
> needed for "kod".
> There were also some posts indicating that "kod" could be
> counter productive leading to self inflicted DOS.

This is case of not being able to see the forest for the trees.

The key issue here is having useful defaults which deliver the majority
use case. i.e.:

1. A path/name to store the drift.file
2. A time source (e.g. 'pool pool.ntp.org')
3. Default permissions allowing only rate limited time service
4. Localhost permissions allowing debugging

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list