On Thu, Mar 31, 2016 at 02:02:47AM -0700, Hal Murray wrote: > [email protected] said: > > I'd expect the server to respond to all requests it can or is configured to > > (e.g. with rate limiting), like an NTP server normally does. Should it be > > different with NTS? > > Since it's reasonably easy to inject packets with forged source address, rate > limiting is an opportunity for denial of service without sending a lot of > traffic that might attract notice. If you want to keep a site from using > NTP, just send enough requests "from" that site to all the NTP servers it > might use. You only need to send enough traffic to keep the the rate > limiting activated.
Yes, that is a security issue in the implementation of rate limiting in ntpd, which was published last year. You may have seen posts from authors of the paper on this list :). The fix is to respond randomly when the clients appear to be sending too many requests, so they can't be starved from responses completely. At least one NTP implementation already does that. -- Miroslav Lichvar _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
