Re: TWC (AS11351) blocking all NTP?

[Brian Rak <brak () gameservers com>]

On 2/3/2014 2:46 PM, Dobbins, Roland wrote:
> On Feb 4, 2014, at 12:11 AM, Brian Rak <brak () gameservers com> wrote:
>
> > You can disable these quite easily, and still run a NTP server that provides accurate time services.
> Concur 100% - although it should be noted that 1:1 reflection without any amplification is also quite useful to 
> attackers.
That's true, but there are countless services out there that could be abused in such a way.  It's pretty much the same 
issue with DNS, even authoritative-only servers can be abused for reflection.  Securing everything that could possibly be used 
for reflection is going to be a long and painful process, preventing this specific amplification attack is pretty easy.

NTP clients have a long history of poor implementations, so the server already has rate limiting built in.  While rate limiting outgoing replies 
isn't a perfect solution, it's significantly better then no rate limiting (for the curious, add 'limited' to your 'restrict 
default' lines to enable rate limiting.  This doesn't help with the current amplification issues, but will help should someone just be abusing 
NTP servers for reflection).