[Pool] DDoS Type Attack
stenn at ntp.org
Mon Feb 17 20:15:14 UTC 2014
Arnold Schekkerman writes:
> On 02/16/2014 11:56 PM, Nyamul Hassan wrote:
>>>> restrict default limited kod notrap nopeer
>>> Add noquery to the above list
>> Yes, we could. But, some people on this list believe that "noquery" also
>> restricts certain use cases, which as "Pool Servers" we should be able to
>> accommodate. What do you think?
I addressed why noquery should be added in an earlier message. My only
concern was that it might preclude the pool Q/A monitors from working,
and Ask tells me that monitoring does not use the NTP monitoring stuff.
So yes, noquery should be added.
> The network monitoring functions were an optional part of version 3 of
> the NTP standard, as described in appendix B of the obsoleted RFC 1305
> That appendix is intended for (local) network management (like SNMP),
> not for use over the global internet.
No, it is a general-use facility. It is a mechanism, and there is no
policy statement made.
If your (local) policy is to deny that information to random outsiders,
that is perfectly acceptable. If you choose to allow some folks to
access this information, that's your (fine) choice too.
If your (local) policy is to allow everybody to get your information
that's mostly OK too, up to the point where it causes harm to others.
> The NTPv3 RFC has been obsoleted by RFC 5905 (NTPv4) that only
> mentions packet type 6 as NTP control message, but it does not define
> any use and it does not describe the control message format.
That was an oversight and it's being corrected. 5905 should define mode
6 and mode 7 packets (the latter only in general).
> So, in my opinion and as others suggested you are free to block all
> (now ntpd implementation specific) control messages, while still
> conforming to the standard.
Yes, and again, whether or not to use noquery is a local policy choice.
More information about the pool