[ntp:questions] Public ntp-server and reflection-attacks
Jure Sah
dustwolfy at gmail.com
Mon Dec 23 13:58:57 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
On 21. 11. 2013 18:12, Michael Sinatra wrote:
>> How can I disable this behavior of ntpd?
>
> There are several ways, but having a basic 'restrict' statement in
> your config like this will help mitigate this attack:
>
> restrict default noquery nomodify notrap nopeer restrict -6 default
> noquery nomodify notrap nopeer
>
> I believe the key command is 'noquery' which means that the server
> can't be queried for information (it does NOT affect the server's
> ability to respond to time requests). However, the other options
> will also protect your public time server. (I am also interested
> in how others are locking down public NTP servers.)
Wouldn't noquery or nopeer also prevent your timeserver from being
used by other timeservers? Or at least limit usability?
LP,
Jure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlK4QaEACgkQB6mNZXe93qggxACeO7Yxis3LZdZCUvGwcc2BpnIK
sIkAn2BUYxuGuTFmL4L8VXKYjyyGugum
=3c1N
-----END PGP SIGNATURE-----
More information about the questions
mailing list