Harlan Stenn st...@ntp.org wrote:
David Lord writes:
I have restrict -4 limited kod nomodify notrap nopeer noquery
I've not checked most recent docs but thought limited was
needed for kod.
It is.
There were also some posts indicating that kod could be
counter productive leading to self
Is there not a case for issuing 4.2.8 now, warts and all, and advising
the world of the upgrade? 4.2.7p410 is working well on all my systems,
and 4.2.7p411 is only a documentation update.
--
Cheers,
David
Web: http://www.satsignal.eu
___
questions
David Taylor wrote:
Is there not a case for issuing 4.2.8 now, warts and all, and advising
the world of the upgrade? 4.2.7p410 is working well on all my systems,
and 4.2.7p411 is only a documentation update.
There's a very good case for doing so, the only formal stopper is the
current list of
Harlan Stenn st...@ntp.org wrote:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there will be no data to report.
The data to report is not what
On Wed, Jan 15, 2014 at 08:35:32PM +, Rob wrote:
William Unruh un...@invalid.ca wrote:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
That only becomes meaningful when ntpd starts to actually work
Harlan Stenn st...@ntp.org wrote:
So please complain as much as you want. Please volunteer as much as you
want. Please financially support Network Time as much as you want. I
also invite folks to pay attention to what they want to get, and see
how what they are and are not doing correlates
Rob writes:
Harlan Stenn st...@ntp.org wrote:
So please complain as much as you want. Please volunteer as much as you
want. Please financially support Network Time as much as you want. I
also invite folks to pay attention to what they want to get, and see
how what they are and are not
Greg Troxel g...@ir.bbn.com wrote:
Really, ntpd should, when run with a config file of only
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
Debian seems to ship the following (minus comments and disabled stuff):
driftfile /var/lib/ntp/ntp.drift
server
Harlan Stenn wrote:
Greg Troxel writes:
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there will be no
Ralph Aichinger writes:
Greg Troxel g...@ir.bbn.com wrote:
Really, ntpd should, when run with a config file of only
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
Debian seems to ship the following (minus comments and disabled stuff):
driftfile
Martin,
I'm OK including updated ntp.conf files in the distribution, for 4.2.8 even.
H
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Harlan Stenn wrote:
Martin,
I'm OK including updated ntp.conf files in the distribution, for 4.2.8 even.
How about changing the built-in default restrictions in in 4.2.8 so that
they match what is commonly used nowadays, without having to specify the
restrict lines?
Martin
--
Martin
Harlan Stenn wrote:
Ralph Aichinger writes:
Debian seems to ship the following (minus comments and disabled stuff):
driftfile /var/lib/ntp/ntp.drift
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
Martin Burnicki martin.burni...@meinberg.de wrote:
I bet the server options for pool servers are in there because this
was used in earlier versions before the pool keyword was introduced,
and it still works.
instead, and I'd have to look up when the 'pool' directive was put in
there.
On Thu, Jan 16, 2014 at 02:28:32PM +0100, Martin Burnicki wrote:
Harlan Stenn wrote:
pool 0.debian.pool.ntp.org iburst
I bet the server options for pool servers are in there because
this was used in earlier versions before the pool keyword was
introduced, and it still works.
instead,
Miroslav Lichvar wrote:
On Thu, Jan 16, 2014 at 02:28:32PM +0100, Martin Burnicki wrote:
Harlan Stenn wrote:
pool 0.debian.pool.ntp.org iburst
I bet the server options for pool servers are in there because
this was used in earlier versions before the pool keyword was
introduced, and it
Rob wrote:
Martin Burnicki martin.burni...@meinberg.de wrote:
I bet the server options for pool servers are in there because this
was used in earlier versions before the pool keyword was introduced,
and it still works.
instead, and I'd have to look up when the 'pool' directive was put in
On 2014-01-16, Greg Troxel g...@ir.bbn.com wrote:
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there will
Steve Kostecke wrote:
On 2014-01-16, Greg Troxel g...@ir.bbn.com wrote:
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to
On 1/16/2014 3:45 PM, Steve Kostecke wrote:
On 2014-01-16, Greg Troxel g...@ir.bbn.com wrote:
Harlan Stenn st...@ntp.org writes:
The majority use case for ntpd is to synchronize your clock to UTC (i.e.
a leaf-node client). So an ntpd ought to have the following defaults:
driftfile
David Lord writes:
I have restrict -4 limited kod nomodify notrap nopeer noquery
I've not checked most recent docs but thought limited was
needed for kod.
It is.
There were also some posts indicating that kod could be
counter productive leading to self inflicted DOS.
I'd love to learn
On 2014-01-16, David Lord sn...@lordynet.org wrote:
Steve Kostecke wrote:
[---=| Quote block shrinked by t-prot: 25 lines snipped |=---]
[snip: sample defaults]
I have restrict -4 limited kod nomodify notrap nopeer noquery
I've not checked most recent docs but thought limited was
On 2014-01-16, Miroslav Lichvar mlich...@redhat.com wrote:
IIRC the pool command in 4.2.6 uses quite a lot of servers, which
probably is not an acceptable use of pool.ntp.org. I think it was
improved later in 4.2.7. The page about recommended configuration
doesn't mention it yet.
On 2014-01-16, Steve Kostecke koste...@ntp.org wrote:
On 2014-01-16, Greg Troxel g...@ir.bbn.com wrote:
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config
Greg Troxel wrote:
Really, ntpd should, when run with a config file of only
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
# IMHO, More like:
restrict -4 default limited kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 default limited kod nomodify
On 27/12/13 10:24, Rob wrote:
What is the NTP developers position on implementation of better
rate limiting options in ntpd?
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers. A small packet sent
with a spoofed source address
On 2014-01-15, David Woolley wrote:
On 27/12/13 10:24, Rob wrote:
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers. A small packet sent with
a spoofed source address (allowed by a lame ISP) results in a large
reply from ntpd,
On 2014-01-15, Steve Kostecke koste...@ntp.org wrote:
On 2014-01-15, David Woolley wrote:
On 27/12/13 10:24, Rob wrote:
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers. A small packet sent with
a spoofed source address (allowed
William Unruh un...@invalid.ca wrote:
On 2014-01-15, Steve Kostecke koste...@ntp.org wrote:
On 2014-01-15, David Woolley wrote:
On 27/12/13 10:24, Rob wrote:
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers. A small packet sent
On 2014-01-15, Rob nom...@example.com wrote:
William Unruh un...@invalid.ca wrote:
On 2014-01-15, Steve Kostecke koste...@ntp.org wrote:
On 2014-01-15, David Woolley wrote:
CERT have just issued an alert about the monlist attack:
https://www.us-cert.gov/ncas/alerts/TA14-013A (TA14-013A:
On 2014-01-15, Rob nom...@example.com wrote:
William Unruh un...@invalid.ca wrote:
On 2014-01-15, Steve Kostecke koste...@ntp.org wrote:
On 2014-01-15, David Woolley wrote:
On 27/12/13 10:24, Rob wrote:
There are more and more amplification attacks against ntp servers,
similar to those
Rob writes:
The default config shipped with ntpd, usually mostly provided by the
distributor, is often terrible. (remember the LOCAL clock?)
Yes, because there is no default configuration in the distribution.
That is left to the vendor to provide, as they know more about their
client base
William Unruh un...@invalid.ca wrote:
On 2014-01-15, Rob nom...@example.com wrote:
William Unruh un...@invalid.ca wrote:
On 2014-01-15, Steve Kostecke koste...@ntp.org wrote:
On 2014-01-15, David Woolley wrote:
On 27/12/13 10:24, Rob wrote:
There are more and more amplification attacks
William Unruh writes:
Why does nptd not disable external monitoring or command by default.
That way if someone wants to allow it, they have to actively do so,
presumably knowing what they are doing.
Because there is clear value in the monitoring information being made
generally available.
We
On 2014-01-15, Harlan Stenn st...@ntp.org wrote:
Rob writes:
The default config shipped with ntpd, usually mostly provided by the
distributor, is often terrible. (remember the LOCAL clock?)
Yes, because there is no default configuration in the distribution.
That is left to the vendor to
On 2014-01-15, Rob nom...@example.com wrote:
William Unruh un...@invalid.ca wrote:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
That only becomes meaningful when ntpd starts to actually work without
Steve Kostecke koste...@ntp.org wrote:
On 2014-01-15, Rob nom...@example.com wrote:
William Unruh un...@invalid.ca wrote:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
That only becomes meaningful when
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there will be no data to report.
--
Harlan Stenn st...@ntp.org
http://networktimefoundation.org -
On 2014-01-15, Harlan Stenn st...@ntp.org wrote:
William Unruh writes:
Why does nptd not disable external monitoring or command by default.
That way if someone wants to allow it, they have to actively do so,
presumably knowing what they are doing.
Because there is clear value in the
On 2014-01-15, Harlan Stenn st...@ntp.org wrote:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there will be no data to report.
That was why
[invalid William has been trimmed from the cc list]
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there
On 1/15/2014 7:18 PM, Greg Troxel wrote:
[invalid William has been trimmed from the cc list]
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then
Brian Utterback brian.utterb...@oracle.com writes:
On 1/15/2014 7:18 PM, Greg Troxel wrote:
[invalid William has been trimmed from the cc list]
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config
Bill,
For me, your information/attitude ratio (similar to a sigal/noise
ratio) skews towards trolldom enough that I often just don't bother
responding to what you write.
I would have sent this privately but I have no idea what your real email
address is.
H
--
William Unruh writes:
On
Greg Troxel writes:
Harlan Stenn st...@ntp.org writes:
William Unruh writes:
I do not mean the default in the config file, I mean the default if
there is no config file or if nothing is set in the config file.
Then ntpd won't connect to anything and there will be no data to report.
A C wrote:
On 1/8/2014 18:31, William Unruh wrote:
But this sounds like it is shooting someone else in the foot. That is
more serious. Ie, the default is that you should have to work quite hard
to enable the system to run these amplification attacks (I assume that
this is using the control
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/
Here's a live amplification attack at work.
On 12/29/2013 01:55, Terje Mathisen wrote:
Steve Kostecke wrote:
On 2013-12-28, Terje Mathisen terje.mathi...@tmsw.no wrote:
Harlan
On 2014-01-09, A C agcarver+...@acarver.net wrote:
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/
Here's a live amplification attack at work.
As I wrote in another post I believe the time is ripe for a sensible
On 1/8/2014 18:31, William Unruh wrote:
On 2014-01-09, A C agcarver+...@acarver.net wrote:
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/
Here's a live amplification attack at work.
As I wrote in another post I
A C writes:
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-s
ites-abused-webs-time-synch-protocol/
Here's a live amplification attack at work.
OK, and this problem is already fixed in ntp-dev and it doesn't have
anything to do with NOSERVE.
H
William Unruh writes:
On 2014-01-09, A C agcarver+...@acarver.net wrote:
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game
-sites-abused-webs-time-synch-protocol/
Here's a live amplification attack at work.
As I wrote in another post I believe the time
Steve Kostecke wrote:
On 2013-12-28, Terje Mathisen terje.mathi...@tmsw.no wrote:
Harlan Stenn wrote:
The other ones I'd really like help with. I definitely want to see
the network-related bugs fixed and 2367. I'd like to see some study
done on 2016. I'm game to let the other ones slide.
Steve Kostecke wrote:
On 2013-12-27, detha de...@foad.co.za wrote:
A first step would be to have a default configuration where any
functionality that can be used for reflection attacks with more than a say
2:1 ratio needs to be explicitly enabled, with warnings about this in the
sample config
On 28/12/2013 01:42, Brian Utterback wrote:
[]
But monlist doesn't work with the latest software. It was replaced by
mrulist which requires a handshake at the beginning, so the request
address can't be spoofed. That's what I meant by having to upgrade no
matter what we do.
Brian Utterback
The
David Taylor writes:
The next version must be quite close to release. Perhaps Harlan could
remind any of us who need chasing for critical patches to complete our work?
http://support.ntp.org/Dev/ReleaseSchedule has a link to the list of
blockers for 4.2.8.
Offhand, the ones I'm focusing on
Harlan Stenn wrote:
The other ones I'd really like help with. I definitely want to see the
network-related bugs fixed and 2367. I'd like to see some study done on
2016. I'm game to let the other ones slide.
I've just gone through 2367 and I have to join Brian's side:
I.e. if somebody adds
Message-
From: questions-bounces+elliott.ch=verizon@lists.ntp.org
[mailto:questions-bounces+elliott.ch=verizon@lists.ntp.org] On Behalf Of
Steve Kostecke
Sent: Friday, December 27, 2013 7:09 PM
To: questions@lists.ntp.org
Subject: Re: [ntp:questions] better rate limiting against amplification
[mailto:questions-bounces+elliott.ch=verizon@lists.ntp.org] On Behalf Of
Rob
Sent: Friday, December 27, 2013 11:50 AM
To: questions@lists.ntp.org
Subject: Re: [ntp:questions] better rate limiting against amplification
attacks?
Brian Utterback brian.utterb...@oracle.com wrote:
On 12/27/2013 5:24 AM
Harlan Stenn st...@ntp.org writes:
Greg Troxel writes:
Are you saying that a server (with the latest code) configured as
server host1.example.com
server host2.example.org
server host3.example.net
and nothing else in the ntp.conf will behave under current guidelines
for best
Steve Kostecke koste...@ntp.org writes:
On 2013-12-27, detha de...@foad.co.za wrote:
A first step would be to have a default configuration where any
functionality that can be used for reflection attacks with more than a say
2:1 ratio needs to be explicitly enabled, with warnings about this
On 28/12/2013 12:06, Harlan Stenn wrote:
David Taylor writes:
The next version must be quite close to release. Perhaps Harlan could
remind any of us who need chasing for critical patches to complete our work?
http://support.ntp.org/Dev/ReleaseSchedule has a link to the list of
blockers for
Terje,
As I recall from my discussions with DLM, we all agree that the current
code goes too far and needs to be changed.
DLM's point (OK, more properly, my recollection is that DLM's point) is
that he's concerned that Brian's fix is a bit too early and doing it
that way will open the door to
Brian Utterback wrote:
On 12/27/2013 5:50 PM, Jochen Bern wrote:
On 27 Dec 2013, Brian Utterback wrote:
Is a peer list really a big problem? It generally doesn't make sense to
have much beyond 10 peers. Are there really a lot of servers with a lot
of peers?
If you mean to ask whether such
On 2013-12-28, Greg Troxel g...@ir.bbn.com wrote:
Steve Kostecke koste...@ntp.org writes:
On 2013-12-27, detha de...@foad.co.za wrote:
A first step would be to have a default configuration where any
functionality that can be used for reflection attacks with more than a say
2:1 ratio needs
On 2013-12-28, Terje Mathisen terje.mathi...@tmsw.no wrote:
Harlan Stenn wrote:
The other ones I'd really like help with. I definitely want to see
the network-related bugs fixed and 2367. I'd like to see some study
done on 2016. I'm game to let the other ones slide.
I've just gone through
Charles Elliott wrote:
I looked up amplification attack. [...] But the same
website that defined amplification attack also described the solution: Use
TCP/IP.
Is not that just one more reason to switch ntpd, nptq, and ntpdc from UDP to
TCP for query processing?
I'ld like to make another -
What is the NTP developers position on implementation of better
rate limiting options in ntpd?
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers. A small packet sent
with a spoofed source address (allowed by a lame ISP) results in
a
On 12/27/2013 5:24 AM, Rob wrote:
What is the NTP developers position on implementation of better
rate limiting options in ntpd?
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers. A small packet sent
with a spoofed source address
Brian Utterback brian.utterb...@oracle.com wrote:
On 12/27/2013 5:24 AM, Rob wrote:
What is the NTP developers position on implementation of better
rate limiting options in ntpd?
There are more and more amplification attacks against ntp servers,
similar to those against open DNS resolvers.
On 12/27/2013 11:49 AM, Rob wrote:
Brian Utterback brian.utterb...@oracle.com wrote:
On 12/27/2013 5:24 AM, Rob wrote:
What is the NTP developers position on implementation of better
rate limiting options in ntpd?
There are more and more amplification attacks against ntp servers,
similar to
Brian Utterback brian.utterb...@oracle.com wrote:
Not at all. I am asking the parameters of the attack. Is the current
software solution sufficient to stop such attacks? If so, then the
solution is for the servers to upgrade. Indeed, no solution we craft for
the current software development
In article 52bdbd18.9070...@oracle.com,
Brian Utterback brian.utterb...@oracle.com wrote:
Not at all. I am asking the parameters of the attack. Is the current
software solution sufficient to stop such attacks? If so, then the
solution is for the servers to upgrade. Indeed, no solution we craft
Garrett Wollman writes:
In article 52bdbd18.9070...@oracle.com,
Brian Utterback brian.utterb...@oracle.com wrote:
Not at all. I am asking the parameters of the attack. Is the current
software solution sufficient to stop such attacks? If so, then the
solution is for the servers to upgrade.
Harlan Stenn st...@ntp.org writes:
Garrett Wollman writes:
Unfortunately, I had to completely block NTP crossing our border
(except for six authorized servers) as there are far too many NTP
servers on our network with a default configuration that I have no
direct administrative control
On Fri, 27 Dec 2013 18:30:38 +, Rob wrote:
Brian Utterback brian.utterb...@oracle.com wrote:
Not at all. I am asking the parameters of the attack. Is the current
software solution sufficient to stop such attacks? If so, then the
solution is for the servers to upgrade. Indeed, no solution
Greg Troxel writes:
--=-=-=
Content-Type: text/plain
Harlan Stenn st...@ntp.org writes:
Garrett Wollman writes:
Unfortunately, I had to completely block NTP crossing our border
(except for six authorized servers) as there are far too many NTP
servers on our network with a default
detha writes:
A first step would be to have a default configuration where any
functionality that can be used for reflection attacks with more than a
say 2:1 ratio needs to be explicitly enabled, with warnings about this
in the sample config file(s).
Better would be a per-IP-address request
detha de...@foad.co.za wrote:
Better would be a per-IP-address request or rate limit.
No, better would be a global rate limit.
We already have a per-IP-address rate limit but it does not
help much in this case.
There should be a per-IP-address rate limit for the normal time protocol,
but the
On 27 Dec 2013, Brian Utterback wrote:
Is a peer list really a big problem? It generally doesn't make sense to
have much beyond 10 peers. Are there really a lot of servers with a lot
of peers?
If you mean to ask whether such a setup exists at all, here's a real
world example:
# ntpdc -n -c
Harlan Stenn st...@ntp.org writes:
No default ntp.conf file has part of the stock distribution's
installation for as far back as I can remember.
If somebody starts ntpd without a conf file, ntpd will do nothing and if
somebody sends it any tell me what you know packets the response would
On 2013-12-27, detha de...@foad.co.za wrote:
A first step would be to have a default configuration where any
functionality that can be used for reflection attacks with more than a say
2:1 ratio needs to be explicitly enabled, with warnings about this in the
sample config file(s).
The NTP
Greg Troxel writes:
Harlan Stenn st...@ntp.org writes:
No default ntp.conf file has part of the stock distribution's
installation for as far back as I can remember.
If somebody starts ntpd without a conf file, ntpd will do nothing and if
somebody sends it any tell me what you know
On 12/27/2013 5:50 PM, Jochen Bern wrote:
On 27 Dec 2013, Brian Utterback wrote:
Is a peer list really a big problem? It generally doesn't make sense to
have much beyond 10 peers. Are there really a lot of servers with a lot
of peers?
If you mean to ask whether such a setup exists at all,
83 matches
Mail list logo