On Tue, Dec 17, 2013 at 1:09 PM, Hal Murray <[email protected]> wrote: > > > [email protected] said: > > Like Marc and Rob, I turn away from the rate-limiting facilities build into > > ntpd. My reason: ntpd rate-limiting keeps a list of only 600 clients. > > That's not so bad for a start. > > That area was cleaned up a while ago. It's in ntp-dev, but hasn't made it to > a release yet. > http://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#mru > > It would be really good if somebody with a few clues in this area could test > the new code and verify that it is ready for prime time.
If you'll forgive me for a slight digression from the mrulist itself: Has the rate-limiting code been changed to apply to non-time queries? The documentation for the 'limited' keyword appears to still warn: "This does not apply to ntpq and ntpdc queries." It appears that the limits are designed to try to protect the server from badly-behaving clients, not to afford protection against DDoS amplification attacks. I've just received an abuse complaint for one of my servers -- ironically, the only one to have never been in the NTP pool -- which pumped out about 440GB of NTP traffic in a few days. I strongly suspect that it was abused by sending something like 'ntpdc -nc monlist' from a spoofed IP. While most Linux distributions seem to ship with the 'noquery' option enabled to prevent such queries, a number of public servers appear to intentionally remove that option to allow clients or others to inspect things like its full server list. Unfortunately, it is now clear that this makes the servers sitting ducks, effectively as dangerous as open DNS servers. I've gone and added 'noquery' back into the restrictions list for all of my servers, but not without a tinge of sadness. -- Matt _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
