Rate limitings been in place for quite some time, but I believe it's
only for actual time queries. This DDOS uses monlist, which isn't
subject to the same rate limits.
You've disabled monlist now, so I bet you'll no longer need all the rate
limiting IPTables rules. (Though, you'll still see
I’ll note that this is less than 140 chars, and therefore fits nicely in a
tweet.
If you’re on twitter, Signal boost the PSA, please.
My edited example: https://twitter.com/wesgeorge/status/435404354242478080
Wes George
On 2/16/14, 10:03 PM, Kate Gerry k...@quadranet.com wrote:
add these to
Better yet, why is your ntp server even reachable off net?
Providing a public clock service needs a lot more configuration effort
than a simple, default one -- as just demonstrated.
(However, this is not to say that private servers should have management
queries enabled.)
On 2/17/2014 9:03
Kate Gerry writes:
Just add these to your ntp.conf configuration then restart the service: (Wo=
rks with all default installations that I've found)
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
KOD only works with limited in the
If somebody has contacts at Juniper who is involved in this, I'd like to
get their contact information.
--
Harlan Stenn st...@ntp.org
http://networktimefoundation.org - be a member!
Just for the reference, here is a more complete solution for Junos (took me
a while searching the web to figure it out), hope it helps someone.
policy-options {
prefix-list lo0.0-inet-address {
apply-path interfaces lo0 unit 0 family inet address *;
}
prefix-list ntp-servers {
On 2/17/14, 7:26 AM, George, Wes wrote:
I’ll note that this is less than 140 chars, and therefore fits nicely in a
tweet.
If you’re on twitter, Signal boost the PSA, please.
My edited example: https://twitter.com/wesgeorge/status/435404354242478080
Wes George
On 2/16/14, 10:03 PM, Kate
Peer means it considers the other side an equal and they will mutually skew
time together. If you have peer on for devices you don't consider your time
servers, you're opening yourself up to problems.
-Blake
On Mon, Feb 17, 2014 at 9:14 AM, Pete Ashdown pashd...@xmission.com wrote:
On
On Feb 17, 2014, at 10:14 PM, Pete Ashdown pashd...@xmission.com wrote:
Does not having nopeer contribute to DDoS amplification?
No:
http://www.kb.cert.org/vuls/id/348126
---
Roland Dobbins rdobb...@arbor.net //
Blake:
Just to make sure I've got this down, listing a device as a peer in
the ntp.conf file will create a situation where both devices are saying,
I know what time it is and splitting the difference? Whereas when you
list a device as a server, it's using that as the authority on the
correct
Standard[1] Monday[2] Reminder[3]:
DDOS attacks are bad. DDOS attacks that you can't tell where they're coming
from are worse. BCP38 helps eliminate the latter, which helps markedly with
the former. BCP38 is usually relatively easy to implement.
Most of you people know how to do it already,
On Feb 17, 2014, at 10:38 AM, Anthony Williams alby.willi...@verizon.com
wrote:
Blake:
Just to make sure I've got this down, listing a device as a peer in
the ntp.conf file will create a situation where both devices are saying,
I know what time it is and splitting the difference? Whereas
If you're trying to actually run a ntp server setup as opposed to just
trusting the world, I strongly suggest reading the documentation for the
service, as most people don't deploy it correctly while they think they
have.
At minimum, you want a cluster of 3 - 4 servers internally, configured as
Colleagues:
A reminder note for those who are, or know of someone local, to San Diego;
do not delay, ARIN+NANOG on the
Roadhttp://www.cvent.com/events/arin-nanog-on-the-road-san-diego/event-summary-f8a281cd63184dd1a410b894a873431b.aspxis
fast approaching. We have a great
program
Dear Sir/Madam,
I am a university researcher who is investigating the development of new,
usable tools that will improve the work practices of cyber security
professionals. As a first step to achieve this goal, I am undertaking a
survey to gain an in-depth understanding of the day-to-day
15 matches
Mail list logo