Re: [ntp:questions] need option to ignore 'leap not in sync error'

On 14/01/2014 14:58, Sanal, Arjun (NSN - IN/Bangalore) wrote: >> Hi, >> I understand that whenever the server sets the Leap Indicator flag to 11 >> [not synchronized] the default behavior of ntp client is to reject the >> server time stamp. >> Is there any configuration option for ntpd by which

Re: [ntp:questions] better rate limiting against amplification attacks?

Greg Troxel writes: > Harlan Stenn writes: > > > William Unruh writes: > >> I do not mean the default in the config file, I mean the default if > >> there is no config file or if nothing is set in the config file. > > > > Then ntpd won't connect to anything and there will be no data to report. >

Re: [ntp:questions] better rate limiting against amplification attacks?

Bill, For me, your "information/attitude ratio" (similar to a "sigal/noise ratio") skews towards trolldom enough that I often just don't bother responding to what you write. I would have sent this privately but I have no idea what your real email address is. H -- William Unruh writes: > On 2014-

Re: [ntp:questions] better rate limiting against amplification attacks?

Brian Utterback writes: > On 1/15/2014 7:18 PM, Greg Troxel wrote: >> [invalid William has been trimmed from the cc list] >> >> Harlan Stenn writes: >> >>> William Unruh writes: I do not mean the default in the config file, I mean the default if there is no config file or if nothing i

Re: [ntp:questions] better rate limiting against amplification attacks?

On 1/15/2014 7:18 PM, Greg Troxel wrote: [invalid William has been trimmed from the cc list] Harlan Stenn writes: William Unruh writes: I do not mean the default in the config file, I mean the default if there is no config file or if nothing is set in the config file. Then ntpd won't connec

Re: [ntp:questions] better rate limiting against amplification attacks?

[invalid William has been trimmed from the cc list] Harlan Stenn writes: > William Unruh writes: >> I do not mean the default in the config file, I mean the default if >> there is no config file or if nothing is set in the config file. > > Then ntpd won't connect to anything and there will be n

Re: [ntp:questions] Determine from logfiles if PPS/NMEA was discarded?

Hal Murray wrote: > Try something like: > statsdir /var/log/ntp/ > filegen protostats type day link > > That will get you things like: > 56672 78792.947 PPS(0) 8054 84 reachable > 56672 80327.947 GPS_NMEA(0) 80a3 83 unreachable > 56672 80391.944 GPS_NMEA(0) 80b4 84 reachable > 56672 80392.944 P

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Rob wrote: > Steve Kostecke wrote: > >> The same could be said about the NTP Reference Implementation >> Developers; they're busy, too. > > The difference is that while there is only one developers team, there > are many distributors that each have to do the same job. So overall >

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Harlan Stenn wrote: > William Unruh writes: >> I do not mean the default in the config file, I mean the default if >> there is no config file or if nothing is set in the config file. > > Then ntpd won't connect to anything and there will be no data to report. That was why the sente

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Harlan Stenn wrote: > William Unruh writes: >> Why does nptd not disable external monitoring or command by default. >> That way if someone wants to allow it, they have to actively do so, >> presumably knowing what they are doing. > > Because there is clear value in the monitoring in

Re: [ntp:questions] better rate limiting against amplification attacks?

William Unruh writes: > I do not mean the default in the config file, I mean the default if > there is no config file or if nothing is set in the config file. Then ntpd won't connect to anything and there will be no data to report. -- Harlan Stenn http://networktimefoundation.org - be a member!

Re: [ntp:questions] better rate limiting against amplification attacks?

Steve Kostecke wrote: > On 2014-01-15, Rob wrote: >> William Unruh wrote: >>> >>> I do not mean the default in the config file, I mean the default if >>> there is no config file or if nothing is set in the config file. >> >> That only becomes meaningful when ntpd starts to actually work without

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Rob wrote: > William Unruh wrote: >> >> I do not mean the default in the config file, I mean the default if >> there is no config file or if nothing is set in the config file. > > That only becomes meaningful when ntpd starts to actually work without > config file. Of course that

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Harlan Stenn wrote: > Rob writes: > >> The default config shipped with ntpd, usually mostly provided by the >> distributor, is often terrible. (remember the LOCAL clock?) > > Yes, because there is no default configuration in the distribution. > > That is left to the "vendor" to pro

Re: [ntp:questions] better rate limiting against amplification attacks?

William Unruh writes: > Why does nptd not disable external monitoring or command by default. > That way if someone wants to allow it, they have to actively do so, > presumably knowing what they are doing. Because there is clear value in the monitoring information being made generally available. W

Re: [ntp:questions] better rate limiting against amplification attacks?

William Unruh wrote: > On 2014-01-15, Rob wrote: >> William Unruh wrote: >>> On 2014-01-15, Steve Kostecke wrote: On 2014-01-15, David Woolley wrote: > On 27/12/13 10:24, Rob wrote: > >> There are more and more amplification attacks against ntp servers, >> similar to t

Re: [ntp:questions] better rate limiting against amplification attacks?

Rob writes: > The default config shipped with ntpd, usually mostly provided by the > distributor, is often terrible. (remember the LOCAL clock?) Yes, because there is no default configuration in the distribution. That is left to the "vendor" to provide, as they know more about their client base

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Rob wrote: > William Unruh wrote: >> On 2014-01-15, Steve Kostecke wrote: >>> On 2014-01-15, David Woolley wrote: >>> On 27/12/13 10:24, Rob wrote: > There are more and more amplification attacks against ntp servers, > similar to those against open DNS resolvers.

Re: [ntp:questions] How is the NTP build tested?

On 14.01.2014 18:53, William Unruh wrote: > On 2014-01-14, Terje Mathisen wrote: >> The entire NTP ensemble, from the current machine and up to all its >> sources, constitute a distributed control loop, right? >> >> This means that the stability and eventual precision of any given clock >> depen

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Rob wrote: > William Unruh wrote: > >> On 2014-01-15, Steve Kostecke wrote: >> >>> On 2014-01-15, David Woolley wrote: >>> CERT have just issued an alert about the monlist attack: (TA14-013A: NTP Amplification Attacks U

Re: [ntp:questions] better rate limiting against amplification attacks?

William Unruh wrote: > On 2014-01-15, Steve Kostecke wrote: >> On 2014-01-15, David Woolley wrote: >> >>> On 27/12/13 10:24, Rob wrote: >>> There are more and more amplification attacks against ntp servers, similar to those against open DNS resolvers. A small packet sent with a spo

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, Steve Kostecke wrote: > On 2014-01-15, David Woolley wrote: > >> On 27/12/13 10:24, Rob wrote: >> >>> There are more and more amplification attacks against ntp servers, >>> similar to those against open DNS resolvers. A small packet sent with >>> a spoofed source address (allowed by

Re: [ntp:questions] need option to ignore 'leap not in sync error'

On 14/01/2014 14:58, Sanal, Arjun (NSN - IN/Bangalore) wrote: Hi, I understand that whenever the server sets the Leap Indicator flag to 11 [not synchronized] the default behavior of ntp client is to reject the server time stamp. Is there any configuration option for ntpd by which I can make the

Re: [ntp:questions] better rate limiting against amplification attacks?

On 2014-01-15, David Woolley wrote: > On 27/12/13 10:24, Rob wrote: > >> There are more and more amplification attacks against ntp servers, >> similar to those against open DNS resolvers. A small packet sent with >> a spoofed source address (allowed by a lame ISP) results in a large >> reply from

[ntp:questions] need option to ignore 'leap not in sync error'

Hi, I understand that whenever the server sets the Leap Indicator flag to 11 [not synchronized] the default behavior of ntp client is to reject the server time stamp. Is there any configuration option for ntpd by which I can make the ntp client to trust the server even in this case? -- Arjun __

Re: [ntp:questions] better rate limiting against amplification attacks?

On 27/12/13 10:24, Rob wrote: What is the NTP developers position on implementation of better rate limiting options in ntpd? There are more and more amplification attacks against ntp servers, similar to those against open DNS resolvers. A small packet sent with a spoofed source address (allowed