On Mon, Jun 25, 2012 at 1:25 PM, Matt Wagner <[email protected]> wrote: > What is the best place to find further documentation on this? (Or, do you > have a recommended setup?) > > All I'm able to find is > http://www.eecis.udel.edu/~mills/ntp/html/accopt.html which suggests that > "limited" may have no effect unless a "discard" line is specified as well. > I'm curious what the recommended values are for that.
That page says exactly what I said below, in two different ways, in this paragraph describing the "kod" restriction: "Send a kiss-o'-death (KoD) packet if the limited flag is present and a packet violates the rate limits established by the discard command. KoD packets are themselves rate limited for each source address separately. If the kod flag is used in a restriction which does not have the limited flag, no KoD responses will result." As it says, kod is ineffective lacking limited. Regarding limited and discard, there are default values for the discard command -- you need no discard command for limited or limited + kod to be effective. > Incidentally, on Fedora/CentOS/RHEL, the default is the same as mentioned on > Debian -- the "kod" restriction is present, but "limited" is not. (And the > "Secure NTP Template" on Team Cymru's site makes no mention of "kod" or > "limited".) Feel free to educate those third parties. Cheers, Dave Hart > On Sat, Jun 23, 2012 at 11:36 PM, Dave Hart <[email protected]> wrote: >> >> Ted, your posted ntp.conf has: >> >> restrict -4 default kod notrap nomodify nopeer noquery >> restrict -6 default kod notrap nomodify nopeer noquery >> >> If you're using ntpd 4.2.6 or later, you can consolidate that into a >> single line omitting -4/-6. In any case, please consider adding >> "limited" to your default restrictions, so that clients are >> rate-limited and your server is less useful for spoofed-source-address >> reflection attacks. Without "limited", the "kod" is useless -- it >> controls only how ntpd responds to rate limit exceeded, but first you >> have to have "limited" to enforce the rate limit. >> >> Cheers, >> Dave Hart >> _______________________________________________ >> pool mailing list >> [email protected] >> http://lists.ntp.org/listinfo/pool > > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
