[ntp:questions] Public ntp-server and reflection-attacks

Jure Sah dustwolfy at gmail.com
Mon Dec 23 13:58:57 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On 21. 11. 2013 18:12, Michael Sinatra wrote:
>> How can I disable this behavior of ntpd?
> 
> There are several ways, but having a basic 'restrict' statement in
> your config like this will help mitigate this attack:
> 
> restrict default noquery nomodify notrap nopeer restrict -6 default
> noquery nomodify notrap nopeer
> 
> I believe the key command is 'noquery' which means that the server
> can't be queried for information (it does NOT affect the server's
> ability to respond to time requests).  However, the other options
> will also protect your public time server.  (I am also interested
> in how others are locking down public NTP servers.)

Wouldn't noquery or nopeer also prevent your timeserver from being
used by other timeservers? Or at least limit usability?

LP,
Jure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlK4QaEACgkQB6mNZXe93qggxACeO7Yxis3LZdZCUvGwcc2BpnIK
sIkAn2BUYxuGuTFmL4L8VXKYjyyGugum
=3c1N
-----END PGP SIGNATURE-----



More information about the questions mailing list