Thanks for the quick response Jim! We also wish to host a "public" NTP server. Are there any safeguard rules we can implement?
I was thinking about limiting every remote host to 2-3 requests per minute. Regards HASSAN On Fri, Feb 14, 2014 at 5:33 AM, Jim Reid <[email protected]> wrote: > On 13 Feb 2014, at 23:18, Nyamul Hassan <[email protected]> wrote: > > > From the documentation, and all literature that I can find on the > internet, > > it seems any remote client who needs to talk to our NTP servers on UDP > 123, > > must also originate the request from UDP 123. > > Whatever you've found is wrong. > > NTP servers exchanging timestamps with other NTP servers will generally > use port 123 for both the source and destination port numbers on those > packets. Edge clients and utilities like ntpq should be using random source > port numbers whenever they talk to an NTP server. > > > Considering this, we have firewalled any traffic for/from UDP 123 on our > servers that does not > > start/end in UDP 123 on the remote machines. > > > > Could someone confirm if this is correct? > > Depends on how you define "correct". > > > Or are we blocking legitimate reqeusts as well? > > Depends on how you define "legitimate". > > What you've done is probably fine. Almost nobody outside your network > should be querying your NTP servers or answering queries from them. > Blocking that traffic is unlikely to break anything and it should > significantly reduce your exposure to DDoS attacks. > > Make sure though that you open up the firewall to allow your trusted NTP > servers to speak NTP to their upstream peers. ie A small number of your NTP > servers can get the time from NTP servers on the Internet (say) and your > servers then feed the time to any downstream servers and clients *inside* > your net. > > > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
