> Dropping ntp packages > 128 bytes by default seems reasonable to me.
Yes and no. From the paranoid perspective of an IDS/firewall it's perfectly reasonable. From the inquisitive perspective of a student and research of NTP, it's a shame. It's really neat that you can ask an NTP server where it gets the time, what its software versions are, etc. It's a legitimate and useful feature of the product, and it's a shame that a seven year old exploit that's long since been patched means that a lot of people now block the requests. On the other hand, if I were running an important server I'd block those requests too. The only real beef I have is that someone happened to see this report and file an abuse complaint with my ISP. Whose response, btw, was to threaten to terminate my server in 4 hours if I didn't answer their email. Yeah, problems there too. In an ideal world the snort rule would be smarter. It wouldn't block any long NTP packets, just those that could have exploited the seven year old security hole. I don't know anything about snort or how hard that would be to do.d _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
