[ntp:questions] better rate limiting against amplification attacks?
Harlan Stenn
stenn at ntp.org
Thu Jan 16 10:47:18 UTC 2014
Ralph Aichinger writes:
> Greg Troxel <gdt at ir.bbn.com> wrote:
> > Really, ntpd should, when run with a config file of only
> >
> > server 0.pool.ntp.org
> > server 1.pool.ntp.org
> > server 2.pool.ntp.org
>
> Debian seems to ship the following (minus comments and disabled stuff):
>
> driftfile /var/lib/ntp/ntp.drift
> server 0.debian.pool.ntp.org iburst
> server 1.debian.pool.ntp.org iburst
> server 2.debian.pool.ntp.org iburst
> server 3.debian.pool.ntp.org iburst
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
>
> And that seems to work quite well in practice.
Those 'kod' directives don't do anything, and I think it would be better
if it was:
pool 0.debian.pool.ntp.org iburst
instead, and I'd have to look up when the 'pool' directive was put in
there.
And I know I'm tweaking nits. The issue is when does it cross the line
between nitpicking and making a "significant" improvement, statistically
or otherwise.
H
More information about the questions
mailing list