-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 23. 12. 2013 18:14, Rob wrote:
I would just like to understand this...
For noquery I understand, but for nopeer? The manual page
states:
Deny packets that might mobilize an association unless
authenticated. This includes broadcast,
Jure Sah dustwo...@gmail.com wrote:
On 23. 12. 2013 18:14, Rob wrote:
I would just like to understand this...
For noquery I understand, but for nopeer? The manual page
states:
Deny packets that might mobilize an association unless
authenticated. This includes broadcast, symmetric-active
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
On 21. 11. 2013 18:12, Michael Sinatra wrote:
How can I disable this behavior of ntpd?
There are several ways, but having a basic 'restrict' statement in
your config like this will help mitigate this attack:
restrict default noquery
Jure Sah dustwo...@gmail.com wrote:
Wouldn't noquery or nopeer also prevent your timeserver from being
used by other timeservers? Or at least limit usability?
Not really. It limits the possibilities of debugging from remote
(e.g. to look what servers you are synced to), but it does not limit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On 23. 12. 2013 15:13, Rob wrote:
Jure Sah dustwo...@gmail.com wrote:
Wouldn't noquery or nopeer also prevent your timeserver from
being used by other timeservers? Or at least limit usability?
Not really. It limits the possibilities of
Jure Sah dustwo...@gmail.com wrote:
Hi,
On 23. 12. 2013 15:13, Rob wrote:
Jure Sah dustwo...@gmail.com wrote:
Wouldn't noquery or nopeer also prevent your timeserver from
being used by other timeservers? Or at least limit usability?
Not really. It limits the possibilities of debugging
On 2013-12-23, Jure Sah dustwo...@gmail.com wrote:
On 23. 12. 2013 15:13, Rob wrote:
For noquery I understand, but for nopeer? The manual page states:
Deny packets that might mobilize an association unless authenticated.
This includes broadcast, symmetric-active and manycast server
packets
On Thursday, 21 November 2013 11:42:39 UTC-5, Rudolf E. Steiner wrote:
Hi.
We have strong reflection-attacks on our public timeserver (ntpd 4.2.6p5).
The strange behavior is the server received one packet and sends 100 packets
to the target.
Incoming packet:
-
Hi.
We have strong reflection-attacks on our public timeserver (ntpd 4.2.6p5).
The strange behavior is the server received one packet and sends 100 packets
to the target.
Incoming packet:
- begin -
Network Time Protocol (NTP Version 2, private)
Flags: 0x17
0... = Response bit:
On 11/21/2013 08:42, Rudolf E. Steiner wrote:
Hi.
We have strong reflection-attacks on our public timeserver (ntpd 4.2.6p5).
The strange behavior is the server received one packet and sends 100 packets
to the target.
Yes, this is becoming increasingly common, and everyone operating NTP
Now that I've had some quality time with Wireshark, I can confirm that I'm
seeing exactly what Rudolph was seeing. Since implementing Michael's
suggesting, I'm still getting the packets, but not responding to them.
That will do for now...
Ian
___
Michael Sinatra wrote:
I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).
That's it. To simple. RTFM! :-(
I have deleted noquery at the time of installation. I thought it
On 2013-11-21, Michael Sinatra mich...@rancid.berkeley.edu wrote:
There are several ways, but having a basic 'restrict' statement in
your config like this will help mitigate [reflection attacks]:
restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap
13 matches
Mail list logo