On Mon, Jan 09, 2023 at 12:15:23PM +0000, akihiko.iz...@sony.com wrote: > > chrony does not implement any modes that could amplify NTP traffic > > Thank you. > But I afraid NTP server is vulnerable to spoofed source IP address of NTP > client, it may participate DDoS attacks even though chrony does not amplify > NTP traffic (amplification factor is small).
A reflection (amplification factor of 1.0) does not seem to be useful. If you can spoof the source address, why not send packets directly to the victim? At least, I have not heard of any DDoS attacks using a 1:1 reflection. If that was an issue, many other protocols could be exploited, e.g. TCP, ICMP. In any case, NTP authentication doesn't prevent reflection. It actually makes it easier as the packets are longer, so a single server would reflect more traffic (if it is limited by packet rate). -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
