network time default, f23
Miroslav Lichvar
mlichvar at redhat.com
Tue Sep 1 12:16:10 UTC 2015
On Tue, Sep 01, 2015 at 01:01:44PM +0200, Reindl Harald wrote:
> Am 01.09.2015 um 11:26 schrieb Miroslav Lichvar:
> >chronyd doesn't implement server rate limiting (yet). It's not a high
> >priority. It may sound like a useful feature, but it often actually
> >increases the network traffic, because clients that send too many
> >requests are often the ones that will quickly send another request
> >when there is no reply from the server or it's told to reduce its
> >polling rate.
>
> it's a matter of security in case of amplification attacks to third parties
> since NTP is UDP like DNS and so *not* low priority
With the NTP client/server packet modes (as specified by the NTP RFC)
no amplification should be possible. The response is never larger than
the request. What you are probably referring to are the mode 6
(control) and mode 7 (private) packets, which are supported by ntpd to
allow monitoring and configuration. They do allow traffic
amplification, but are disabled in our default config for remote
addresses.
chronyd ignores mode 6 and mode 7 packets. It has its own command and
monitoring protocol, which allowed some amplification in the past, but
has been fixed to always keep the amplification ratio <= 1.0. In any
case, it's running on a separate port (323) and by default accepts
only packets from localhost.
--
Miroslav Lichvar
More information about the server
mailing list