summaryrefslogtreecommitdiffstats
path: root/contrib/ntp/ntpd/ntp.conf.def
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ntp/ntpd/ntp.conf.def')
-rw-r--r--contrib/ntp/ntpd/ntp.conf.def71
1 files changed, 67 insertions, 4 deletions
diff --git a/contrib/ntp/ntpd/ntp.conf.def b/contrib/ntp/ntpd/ntp.conf.def
index 43835bc..25d9fd0 100644
--- a/contrib/ntp/ntpd/ntp.conf.def
+++ b/contrib/ntp/ntpd/ntp.conf.def
@@ -2395,16 +2395,18 @@ a 6-bit code. The default value is 46, signifying Expedited Forwarding.
.Oo
.Cm auth | Cm bclient |
.Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
.It Xo Ic disable
.Oo
.Cm auth | Cm bclient |
.Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
Provides a way to enable or disable various server options.
@@ -2478,6 +2480,67 @@ See the
section for further information.
The default for this flag is
.Ic disable .
+.It Cm unpeer_crypto_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_crypto_nak_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives a crypto-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_digest_early
+By default, if
+.Xr ntpd 1ntpdmdoc
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
.El
.It Ic includefile Ar includefile
This command allows additional configuration commands
OpenPOWER on IntegriCloud