TWC (AS11351) blocking all NTP?

Brian Rak brak at gameservers.com
Mon Feb 3 20:09:08 UTC 2014


On 2/3/2014 2:46 PM, Dobbins, Roland wrote:
> On Feb 4, 2014, at 12:11 AM, Brian Rak <brak at gameservers.com> wrote:
>
>> You can disable these quite easily, and still run a NTP server that provides accurate time services.
> Concur 100% - although it should be noted that 1:1 reflection without any amplification is also quite useful to attackers.
>
That's true, but there are countless services out there that could be abused in such a way.  It's pretty much the same issue with DNS, even authoritative-only servers can be abused for reflection.  Securing everything that could possibly be used for reflection is going to be a long and painful process, preventing this specific amplification attack is pretty easy.

NTP clients have a long history of poor implementations, so the server already has rate limiting built in.  While rate limiting outgoing replies isn't a perfect solution, it's significantly better then no rate limiting (for the curious, add 'limited' to your 'restrict default' lines to enable rate limiting.  This doesn't help with the current amplification issues, but will help should someone just be abusing NTP servers for reflection).





More information about the NANOG mailing list