I see ways to improve this, and I'll make improvements in p16. There will be significant new functionality in this area in the upcoming 4.4 release.
In the meantime, one can use 'restrict noquery' (a feature that has been available for a very long time) to block mode6 (and mode7, already disabled by default) from inappropriate sources. We have been doing this for many years in the ntp.conf files we use on our servers. On 5/19/2021 9:18 AM, Brian Utterback wrote: > We are getting customer inquiries about Mode 6 packets and DDOS packet > amplification issues. It seems that security audit vendors have started > checking to see if NTP is allowing mode 6 packets. I am getting some > pressure to disable them by default. I notice that some vendors have > indeed done that, but others rate limit mode 6 packets to prevent them > from being useful in a DDOS. Does the stock NTP distro have such rate > limiting already built in? If not, is there anything to mitigate the > problem by default? -- Harlan Stenn <st...@nwtime.org> http://networktimefoundation.org - be a member! _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
