You generally only need rate limits if you have monlist enabled for some
reason. There's no reason to expose monlist to the internet, so you
shouldn't need rate limits..
I've lost track of how many times I've said this, but iptables is not
the solution to these attacks. The solution is fixing your config to
disable monlist (add noquery to your 'restrict default' lines).
Those rules are also useless against the attack. One monlist request
can generate 40+ packets, so your rate limit won't really help a whole lot.
On 2/20/2014 12:20 PM, Scott Baker wrote:
I wrote this up, and it may be helpful to some other people on the list.
http://www.perturb.org/display/1163_IPTables_limit_source_packet_rate.html
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
