On Tue, Dec 20, 2022 at 11:14:04AM +0000, akihiko.iz...@sony.com wrote: > I consider public NTS servers which serve to any NTP client. > I afraid NTS servers are abused for DDoS amplification.
chrony does not implement any modes that could amplify NTP traffic, like the ntpd mode 6, mode 7, or Autokey. No matter how it is configured, it won't amplify plain NTP, NTP protected by symmetric key, nor NTS-protected-NTP traffic. Even if there was a bug causing a longer response to be generated, it would not be sent as there is an additional check made before transmission comparing the length of the request and response. If someone is claiming your chrony server is amplifying, they are wrong. I run a number of public servers and occasionally I get abuse reports claiming amplification, but their logs, when they actually have some, don't show it. They are just misinterpreting a busy NTP server as a DDoS attack. > Regarding RFC8915, "8.4 Avoiding DDoS Amplification", > > NTS is designed to avoid contributing any further to this problem ... > > So, I think NTS server should be able to reject non-NTS NTP request to avoid > DDoS amplification. If the NTP server didn't respond to unauthenticated NTP requests, it couldn't respond with NTS NAK to indicate the client it has expired cookies. This would slow down synchronization of NTS clients after being turned off/suspended for a longer periods of time. -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.