[ntp:questions] better rate limiting against amplification attacks?

Harlan Stenn stenn at ntp.org
Thu Jan 16 10:47:18 UTC 2014


Ralph Aichinger writes:
> Greg Troxel <gdt at ir.bbn.com> wrote:
> > Really, ntpd should, when run with a config file of only
> > 
> >  server 0.pool.ntp.org
> >  server 1.pool.ntp.org
> >  server 2.pool.ntp.org
> 
> Debian seems to ship the following (minus comments and disabled stuff):
> 
> driftfile /var/lib/ntp/ntp.drift
> server 0.debian.pool.ntp.org iburst
> server 1.debian.pool.ntp.org iburst
> server 2.debian.pool.ntp.org iburst
> server 3.debian.pool.ntp.org iburst
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
> 
> And that seems to work quite well in practice.

Those 'kod' directives don't do anything, and I think it would be better
if it was:

 pool 0.debian.pool.ntp.org iburst

instead, and I'd have to look up when the 'pool' directive was put in
there.

And I know I'm tweaking nits.  The issue is when does it cross the line
between nitpicking and making a "significant" improvement, statistically
or otherwise.

H


More information about the questions mailing list