r9 - 2015-08-19 - 10:11:46 - RupeshPatelYou are here: NTP >  Support Web > ConfiguringNTP > OrphanMode
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p7 was released on 26 April 2016. It addresses 11 low- and medium-severity security issues, 16 bugfixes, and contains other improvements over 4.2.8p6.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
REFACTOR See OrphanModeDev for discussion of this topic.

6.2. Orphan mode

Orphan Mode is the stated replacement for the UndisciplinedLocalClock. It was added to ntp-4.2.2.

Orphan Mode allows a group of ntpd processes to automonously select a leader in the event that all real time sources become unreachable (i.e. are inaccessible).

Orphan Mode is enabled by adding the line tos orphan N anywhere in ntp.conf. The N specifies the stratum at which this ntpd will switch to Orphan Mode. For example, an ntpd using tos orphan 6 will not switch to Orphan Mode as long as a time source of strata 1 through 5 is reachable. The recommended value for N is 2 more than the worst-case externally-reachable source of time.

In addition to the tos orphan line all members of the Orphan Mode group must be configured in a mesh (i.e. they must all be clients / peers of each other). Any NTP association mode may be used to set up this mesh.

NTP versions prior to 4.2.4p5 and 4.2.5p101 will not start up properly in Orphan Mode unless at least one time source is configured in ntp.conf. If no time sources are specified the refid stays at .INIT. and the rootdispersion continually increases. This makes these versions unsuitable for use as stand-alone Orphan Mode servers in a time island.

NTP version 4.2.5p101 or later will start up correctly in pure Orphan Mode.

6.2.1. Configuration

Related Topics: Distribution Documentation: Orphan Mode, UndisciplinedLocalClock

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r9 < r8 < r7 < r6 < r5 | More topic actions
Support.OrphanMode moved from Support.ConfiguringOrphanMode on 2007-03-19 - 12:13 by SteveKostecke - put it back
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2016 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback