Date: Thu, 16 Jan 2014 10:37:43 +0100 From: Fabian Wenk <fabian@wenks.ch> To: freebsd-security@freebsd.org Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? Message-ID: <52D7A867.7070607@wenks.ch> In-Reply-To: <868uuid7y3.fsf@nine.des.no> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu> <868uuid7y3.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Dag-Erling On 14.01.2014 14:11, Dag-Erling Smørgrav wrote: > Garrett Wollman <wollman@bimajority.org> writes: >> For a "pure" client, I would suggest "restrict default ignore" ought >> to be the norm. (Followed by entries to unrestrict localhost over v4 >> and v6.) > > Pure clients shouldn't use ntpd(8). They should use sntp(8) or a > lightweight NTP client like ttsntpd. I think it is a bad advice, then ntpd is much nicer to NTP servers (mainly the NTP Pool), then sntp is. I am running a few NTP servers which are also in the NTP Pool and I do volunteer to be also in the tr (Turkey) zone. In Turkey there is one large telecommunication company with a lot of CPEs which are doing sntp requests quite often. Even if the IP addresses for the Pool are rotated quickly, they are all using the same few DNS server to resolve and those hammering the same few IP address at the same time. It is quite well visible in my graphs [1] with the large peaks. The quiet stable ground traffic is from nice ntpd clients which are distributed evenly on the NTP Pool. [1] http://www.home4u.ch/ntp/ bye Fabian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D7A867.7070607>