[ntp:questions] better rate limiting against amplification attacks?
Ralph Aichinger
ralph at pangea.at
Thu Jan 16 09:59:27 UTC 2014
Greg Troxel <gdt at ir.bbn.com> wrote:
> Really, ntpd should, when run with a config file of only
>
> server 0.pool.ntp.org
> server 1.pool.ntp.org
> server 2.pool.ntp.org
Debian seems to ship the following (minus comments and disabled stuff):
driftfile /var/lib/ntp/ntp.drift
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
And that seems to work quite well in practice.
/ralph
More information about the questions
mailing list