On 12/27/2013 5:50 PM, Jochen Bern wrote:
On 27 Dec 2013, Brian Utterback wrote:
Is a peer list really a big problem? It generally doesn't make sense to
have much beyond 10 peers. Are there really a lot of servers with a lot
of peers?
If you mean to ask whether such a setup exists at all, here's a real
world example:
# ntpdc -n -c monlist | wc -l
602
We ship appliances to SMBs whose factory-default setup points them to
this NTP server (i.e., no filtering by client IP). The local admin's
supposed to change the config to local NTP, SMTP, etc. etc. servers, but
not all of them do, to put it mildly. :-{
Typical? Certainly not. *Lots* of such servers? Hmmm, let's say
"possibly enough" (to still allow such attacks to happen unless they can
be prevented by careful configuration).
(FWIW, in the meantime, I added "nopeer", which I had initially left out
in favor of several "setvar ... default"s.)
Regards,
J. Bern
But monlist doesn't work with the latest software. It was replaced by
mrulist which requires a handshake at the beginning, so the request
address can't be spoofed. That's what I meant by having to upgrade no
matter what we do.
Brian Utterback
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
