NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to use in a distributed denial-of-service (DDoS) attack. Please also take this opportunity to defeat denial-of-service attacks by implementing ingress and Egress filtering through BCP38. See NTPAccessPolicyDev for discussion of this topic.
A new set of mode 6 vulnerabilities has been discovered and, while these vulnerabilities can be reduced by making sure you have
restrict default … noquery in your
ntp.conf file, the best and most complete way to avoid these vulnerabilities is to install and deploy
ntp-4.2.8 which was released on 18 December 2014.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
5.1. NTP Access Policy
It was proposed on news://comp.protocols.time.ntp
to publish the access policy for ntp via ntp/tcp.
Since ntp (the time protocol) only uses ntp/udp, ntp/tcp is available as a reserved port number
It would be possible to publish both a machine readable version (in some standard format, to be determined) and a human readable version.
A simple solution is to use
to offer a file on connection to ntp/tcp. Example line in inetd.conf:
ntp stream tcp nowait nobody /usr/libexec/tcpd /bin/cat /etc/ntp-access-policy.txt
would then contain the access policy.
- 28 Aug 2003