[ntp:questions] better rate limiting against amplification attacks?

Terje Mathisen terje.mathisen at tmsw.no
Sat Dec 28 13:31:30 UTC 2013


Harlan Stenn wrote:
> The other ones I'd really like help with.  I definitely want to see the
> network-related bugs fixed and 2367.  I'd like to see some study done on
> 2016.  I'm game to let the other ones slide.

I've just gone through 2367 and I have to join Brian's side:

I.e. if somebody adds NOSERVE to a client it would be perfectly fine to 
let that override PEER or anything else: NOSERVE should only be used on 
a pure end-node client, with no sideways or downstream communication.

Brian's one-line fix is definitely better than the current situation.

If this leads to glitches for really funky conf setups, then so be it. 
It is NOT worth holding the new release!

Re 2016: This one is really strange!

I do agree that as soon as reach == 0 even a prefer server should be 
disallowed. The one thing I wonder about is the + vs * status:

Can a '+' server steer the local clock at all, or will this only happen 
where there is a designated '*' winner?

Terje

-- 
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"



More information about the questions mailing list