[ntp:questions] better rate limiting against amplification attacks?

Ralph Aichinger ralph at pangea.at
Thu Jan 16 09:59:27 UTC 2014


Greg Troxel <gdt at ir.bbn.com> wrote:
> Really, ntpd should, when run with a config file of only
> 
>  server 0.pool.ntp.org
>  server 1.pool.ntp.org
>  server 2.pool.ntp.org

Debian seems to ship the following (minus comments and disabled stuff):

driftfile /var/lib/ntp/ntp.drift
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

And that seems to work quite well in practice.

/ralph



More information about the questions mailing list