[Pool] IPTables rate limit write up

Brian Rak brak at constant.com
Thu Feb 20 20:42:11 UTC 2014


You generally only need rate limits if you have monlist enabled for some 
reason.  There's no reason to expose monlist to the internet, so you 
shouldn't need rate limits..

I've lost track of how many times I've said this, but iptables is not 
the solution to these attacks.  The solution is fixing your config to 
disable monlist (add noquery to your 'restrict default' lines).

Those rules are also useless against the attack.  One monlist request 
can generate 40+ packets, so your rate limit won't really help a whole lot.

On 2/20/2014 12:20 PM, Scott Baker wrote:
> I wrote this up, and it may be helpful to some other people on the list.
>
> http://www.perturb.org/display/1163_IPTables_limit_source_packet_rate.html
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool



More information about the pool mailing list