[ntp:questions] better rate limiting against amplification attacks?

Terje Mathisen terje.mathisen at tmsw.no
Sat Dec 28 10:31:22 UTC 2013


Steve Kostecke wrote:
> On 2013-12-27, detha <detha at foad.co.za> wrote:
>
>> A first step would be to have a default configuration where any
>> functionality that can be used for reflection attacks with more than a say
>> 2:1 ratio needs to be explicitly enabled, with warnings about this in the
>> sample config file(s).
>
> The NTP Reference Implementation has no default use case. So there is no
> "baked-in" sensible default configuration. Some view this as a feature.

With the current dev code it seems to me that, for the first time, it is 
possible to define a useful default configuration, maybe something like 
this:

pool pool.ntp.org  # Self-optimising set of network servers
restrict source    # Allow the same servers to query us back
restrict default nopeer noquery limit

(The default restrict is open for discussion!)

Terje
-- 
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"



More information about the questions mailing list