[Pool] IPTables rate limit write up
brak at constant.com
Thu Feb 20 20:42:11 UTC 2014
You generally only need rate limits if you have monlist enabled for some
reason. There's no reason to expose monlist to the internet, so you
shouldn't need rate limits..
I've lost track of how many times I've said this, but iptables is not
the solution to these attacks. The solution is fixing your config to
disable monlist (add noquery to your 'restrict default' lines).
Those rules are also useless against the attack. One monlist request
can generate 40+ packets, so your rate limit won't really help a whole lot.
On 2/20/2014 12:20 PM, Scott Baker wrote:
> I wrote this up, and it may be helpful to some other people on the list.
> pool mailing list
> pool at lists.ntp.org
More information about the pool