UNS: Re: NTP security hole CVE-2013-5211?
Fabian Wenk
fabian at wenks.ch
Thu Jan 16 09:37:48 UTC 2014
Hello Dag-Erling
On 14.01.2014 14:11, Dag-Erling Smørgrav wrote:
> Garrett Wollman <wollman at bimajority.org> writes:
>> For a "pure" client, I would suggest "restrict default ignore" ought
>> to be the norm. (Followed by entries to unrestrict localhost over v4
>> and v6.)
>
> Pure clients shouldn't use ntpd(8). They should use sntp(8) or a
> lightweight NTP client like ttsntpd.
I think it is a bad advice, then ntpd is much nicer to NTP
servers (mainly the NTP Pool), then sntp is.
I am running a few NTP servers which are also in the NTP Pool and
I do volunteer to be also in the tr (Turkey) zone. In Turkey
there is one large telecommunication company with a lot of CPEs
which are doing sntp requests quite often. Even if the IP
addresses for the Pool are rotated quickly, they are all using
the same few DNS server to resolve and those hammering the same
few IP address at the same time. It is quite well visible in my
graphs [1] with the large peaks. The quiet stable ground traffic
is from nice ntpd clients which are distributed evenly on the NTP
Pool.
[1] http://www.home4u.ch/ntp/
bye
Fabian
More information about the freebsd-security
mailing list