What is the NTP developers position on implementation of better rate limiting options in ntpd?
There are more and more amplification attacks against ntp servers, similar to those against open DNS resolvers. A small packet sent with a spoofed source address (allowed by a lame ISP) results in a large reply from ntpd, sent to the victim of the attack. Possible candidates are of course the commands to retrieve the list of clients (similar to "ntpdc -c monlist") and and the list of associated servers ("ntpq -p"). The options to limit the replies to those responses are not very detailed. One can deny all queries, but that is about it. It would be useful to have configurable rate limiting like on the normal time queries, and preferably configurable as global. So the rate of all queries should be limited, not per source IP address. And it would be good if queries can be denied individually, so that the peer servers query can still be issued but the monlist query cannot. Of course all of this can be done in a good firewall, but it usually requires lots of knowledge about the protocol details. It would be nice if ntpd could filter this at application level. Is this being considered? _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions