ntpsec history

Hal Murray hmurray at megapathdsl.net
Tue Nov 5 03:52:35 UTC 2019

>> Was there any discussion in ntpsec-land about disabling mode 6
>> queries *by default?*

> Dunno, best to ask on devel at ntpsec.org

I don't remember any discussion like that.

There are at least 2 reasons to block/disable mode 6.  The first is the DDoS 
problem with the old monlist command.  That command has been replaced with one 
that needs a cookie so it won't respond to simple requests with a forged 
return address.

The second is all the information you can get that might be useful for 
planning an attack.  "peers", for example, gives you a list of servers is 
using in case you want to intercept them.  "rv 0 system" will give you the 
kernel version string which might narrow the search space if you are attacking 
via some other path.

You can block mode 6 with restrictions.  I think most distros added those back 
in the days when ntpd was used for major DDoS attacks.  I doubt if they have 
been removed.

These are my opinions.  I hate spam.

More information about the devel mailing list