[ntp:questions] kod and limited

Miroslav Lichvar mlichvar at redhat.com
Tue Nov 24 09:44:46 UTC 2015


On Fri, Nov 20, 2015 at 04:40:24PM +0100, Marco Marongiu wrote:
> Now I have two options:
> 1. remove "kod" altogether
> 2. add "limited"
> 
> The defaults for discard seem sensible[3] and adding "limited" shouldn't
> result in problems. On the other hand, I am worried that (for example)
> local clients using burst/iburst or running ntpdate -q repeatedly for
> debugging purposes may be denied the service. Am I just worrying too much?
> 
> What option would you recommend?

I think the recommendation is to not use the limited option at all.
Some people reported that it may actually increase the amount of
traffic, apparently there are broken clients that send a new request
soon after missing a reply.

Also, there is a security issue that an attacker can prevent a client
from getting replies by sending spoofed packets to the server. See the
archive of the ntp-hackers list for more information.

-- 
Miroslav Lichvar


More information about the questions mailing list