Harlan Stenn <[email protected]> writes: > Without knowing more about exactly what is involved, the one thing that > leaps to mind is that folks should look at "restrict default noquery" > with appropriate per-host or per-network overrides.
Two thoughts: 1) The big question is whether someone has really discovered something that can be called amplification, vs just obscuring the source. Even if it's just regular NTP time exchange packets with forged source addresses, it makes it that much harder for the victim to figure out the source. 2) It would be unfortunate to lose the ability to diagnose random things due to fear of DDOS. So I wonder about a default strategy of rate-limiting replies to queries based on source address and also destination of the reply, should there be any replies sent to other than the incoming source. And perhaps these rate limits should log alarms.
pgpRwMhUqeDvq.pgp
Description: PGP signature
_______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
