You can also use limited and kod. I saw it being talked about here (I think) as a anti-flooding measure.
By the way, would someone know whether « restrict default limited kod » (and notrap nomodify nopeer) is a bare minimum or is it « good » (as in unlikely to ever be abused) ? Also, having a pedagogical webpage on ntp.mydomain.tld strikes me a very good idea. Thanks for the tip ;-) 2012/8/10 Mouse <[email protected]>: >>>> [...] we had two rather irate people call our emergency support >>>> line, demanding that we fix the system that was attacking their >>>> network. On port 123/udp. [...] >>> [...] >> Your NTP server could be responding to requests with forged source IP >> addresses, so in a sense, your server really is "attacking" a >> third-party. > > I never put the two together now, but this could be why I've never had > any such complaints. I have a watcher snooping my port-123 traffic and > any IP that sends too fast gets router-blocked at my border. I did > this out of self-defense against clients that don't understand why it's > a bad thing to query multiple times a second or the like. But it does > mean that I'm not much use as an attack bandwidth amplifier. (Yes, I > have similar guards on port 53 too....) > > /~\ The ASCII Mouse > \ / Ribbon Campaign > X Against HTML [email protected] > / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
