[Pool] DDoS Type Attack

Arnold Schekkerman ntp-list at mallos.nl
Mon Feb 17 12:05:20 UTC 2014


On 02/16/2014 11:56 PM, Nyamul Hassan wrote:
>>> restrict default limited kod notrap nopeer
>> Add noquery to the above list
> Yes, we could.  But, some people on this list believe that "noquery" also
> restricts certain use cases, which as "Pool Servers" we should be able to
> accommodate.  What do you think?

The network monitoring functions were an optional part of version 3 of the NTP
standard, as described in appendix B of the obsoleted RFC 1305
That appendix is intended for (local) network management (like SNMP), not for use
over the global internet.

The NTPv3 RFC has been obsoleted by RFC 5905 (NTPv4) that only mentions packet type
6 as NTP control message, but it does not define any use and it does not describe
the control message format.

So, in my opinion and as others suggested you are free to block all (now ntpd
implementation specific) control messages, while still conforming to the standard.

In the past 8+ years I have a server in the pool, I always had 'noquery' _and_ I
dropped type 6 packets at the firewall using iptables (IPv4 only).


More information about the pool mailing list