On 2013-11-08T01:28:56-0500, Sarah White <[email protected]> wrote: > Even if you have ntp's internal rate limiter turned on (and the "kiss of > death" feature enabled to block hosts which violate the limits) in my > opinion the "query" functionality (ntpq and ntpdc) doesn't get rate > limited, so I would have to say yes, it's probably one of the most > abusable features in ntp. > > My server has yet to be abused, but today I just opted to be that much > more safe about things, and so I've opted to make the default restrict > line much less abusable: > > Previously I hadn't had kod enabled at all, but now I do > (relaxed settings... and here are my notes) > > The "discard" line is for tuning the values for "kod" rate limiting > > The default settings for "discard" are "average 3" and "minimum 2" > (if you omit the discard line, those values are used for kod) > > "minimum" is in seconds > (I figure "1 packet per second" is acceptable for very short periods) > > "average" is log2 like the minpoll and maxpoll for peer or server lines > (a value of 2 = 4 seconds, 3 = 8 seconds, 4 = 16 seconds, etc.) > > > > # begin /etc/ntp.conf > > driftfile /var/lib/ntp/ntp.drift > > discard average 2 minimum 1 > restrict default kod nomodify notrap nopeer noquery > restrict -6 default kod nomodify notrap nopeer noquery > restrict 127.0.0.1 > restrict -6 ::1 > > # (everything below here in my /etc/ntp.conf is configuration specific)
Pretty sure that won't do any rate limiting nor send KoD packets without "limited" in the restrict line as well. http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict -- Kenyon Ralph
signature.asc
Description: Digital signature
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
