[ntp:questions] better rate limiting against amplification attacks?

Miroslav Lichvar mlichvar at redhat.com
Thu Jan 16 14:14:36 UTC 2014


On Thu, Jan 16, 2014 at 02:28:32PM +0100, Martin Burnicki wrote:
> Harlan Stenn wrote:
> >  pool 0.debian.pool.ntp.org iburst
> 
> I bet the "server" options for pool servers are in there because
> this was used in earlier versions before the "pool" keyword was
> introduced, and it still works.
> 
> >instead, and I'd have to look up when the 'pool' directive was put in
> >there.
> 
> IIRC this is supported in 4.2.6, but has not been supported in
> 4.2.4p8 and earlier. If the ntp.conf file shipped with a particular
> OS has been initially created a long time ago and always been
> updated for newer NTP versions then I'm not surprised to see this.

IIRC the pool command in 4.2.6 uses quite a lot of servers, which
probably is not an acceptable use of pool.ntp.org. I think it was
improved later in 4.2.7. The page about recommended configuration
doesn't mention it yet.

http://www.pool.ntp.org/en/use.html

Vendors should be careful with the pool command.

-- 
Miroslav Lichvar


More information about the questions mailing list