On Tue, Sep 01, 2015 at 01:01:44PM +0200, Reindl Harald wrote:
Am 01.09.2015 um 11:26 schrieb Miroslav Lichvar:
chronyd doesn't implement server rate limiting (yet). It's not a high priority. It may sound like a useful feature, but it often actually increases the network traffic, because clients that send too many requests are often the ones that will quickly send another request when there is no reply from the server or it's told to reduce its polling rate.
it's a matter of security in case of amplification attacks to third parties since NTP is UDP like DNS and so *not* low priority
With the NTP client/server packet modes (as specified by the NTP RFC) no amplification should be possible. The response is never larger than the request. What you are probably referring to are the mode 6 (control) and mode 7 (private) packets, which are supported by ntpd to allow monitoring and configuration. They do allow traffic amplification, but are disabled in our default config for remote addresses.
chronyd ignores mode 6 and mode 7 packets. It has its own command and monitoring protocol, which allowed some amplification in the past, but has been fixed to always keep the amplification ratio <= 1.0. In any case, it's running on a separate port (323) and by default accepts only packets from localhost.