On 2/3/2014 2:46 PM, Dobbins, Roland wrote:
On Feb 4, 2014, at 12:11 AM, Brian Rak <b...@gameservers.com> wrote:
You can disable these quite easily, and still run a NTP server that provides
accurate time services.
Concur 100% - although it should be noted that 1:1 reflection without any
amplification is also quite useful to attackers.
That's true, but there are countless services out there that could be abused in
such a way. It's pretty much the same issue with DNS, even authoritative-only
servers can be abused for reflection. Securing everything that could possibly
be used for reflection is going to be a long and painful process, preventing
this specific amplification attack is pretty easy.
NTP clients have a long history of poor implementations, so the server already
has rate limiting built in. While rate limiting outgoing replies isn't a
perfect solution, it's significantly better then no rate limiting (for the
curious, add 'limited' to your 'restrict default' lines to enable rate
limiting. This doesn't help with the current amplification issues, but will
help should someone just be abusing NTP servers for reflection).
