[Pool] [D]DoS attack characteristics and mitigation

Miroslav Lichvar mlichvar at redhat.com
Tue Feb 11 10:51:56 UTC 2014


On Mon, Feb 10, 2014 at 03:13:17PM +0100, Miroslav Lichvar wrote:
> > % grep noquery /etc/ntp.conf 
> > restrict	default kod nomodify notrap nopeer noquery limited
> > restrict	-6 default kod nomodify notrap nopeer noquery limited
> 
> That's odd. With noquery the server should respond only to normal
> client requests and with limited+kod the outgoing packet rate should
> be much smaller and not useful for an amplification/reflection attack.
> 
> Any chance the config also has "disable monitor"? That effectively
> disables the limited and kod options.

It seems it's actually the other way, at least in 4.2.6p5. If the
config has a restriction with limited, the monitor will be enabled
even with "disable monitor".

If you are using "disable monitor" to prevent the amplification
attack, make sure "limited" is not used in the config.

-- 
Miroslav Lichvar


More information about the pool mailing list