[ntp:questions] better rate limiting against amplification attacks?

Rob nomail at example.com
Fri Jan 17 09:24:20 UTC 2014


Harlan Stenn <stenn at ntp.org> wrote:
> David Lord writes:
>> I have "restrict -4 limited kod nomodify notrap nopeer noquery"
>> 
>> I've not checked most recent docs but thought "limited" was
>> needed for "kod".
>
> It is.
>
>> There were also some posts indicating that "kod" could be
>> counter productive leading to self inflicted DOS.
>
> I'd love to learn more about this.  I can only see this happening if one
> has a seriously broken client.

You need to understand that the client is the attacker and that he
can make his software as broken as he likes.  So your server needs to
be written and configured in such a way that even a broken client can
not damage anything.

"kod" is useless.  it is not implemented in the majority of clients,
and some broken clients react in a counter-productive way.
The well-behaved client that implements kod does not need it.



More information about the questions mailing list