diff options
Diffstat (limited to 'contrib/ntp/ntpd/ntp.conf.def')
-rw-r--r-- | contrib/ntp/ntpd/ntp.conf.def | 71 |
1 files changed, 67 insertions, 4 deletions
diff --git a/contrib/ntp/ntpd/ntp.conf.def b/contrib/ntp/ntpd/ntp.conf.def index 43835bc..25d9fd0 100644 --- a/contrib/ntp/ntpd/ntp.conf.def +++ b/contrib/ntp/ntpd/ntp.conf.def @@ -2395,16 +2395,18 @@ a 6-bit code. The default value is 46, signifying Expedited Forwarding. .Oo .Cm auth | Cm bclient | .Cm calibrate | Cm kernel | -.Cm mode7 | monitor | -.Cm ntp | Cm stats +.Cm mode7 | Cm monitor | +.Cm ntp | Cm stats | +.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc .It Xo Ic disable .Oo .Cm auth | Cm bclient | .Cm calibrate | Cm kernel | -.Cm mode7 | monitor | -.Cm ntp | Cm stats +.Cm mode7 | Cm monitor | +.Cm ntp | Cm stats | +.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc Provides a way to enable or disable various server options. @@ -2478,6 +2480,67 @@ See the section for further information. The default for this flag is .Ic disable . +.It Cm unpeer_crypto_early +By default, if +.Xr ntpd 1ntpdmdoc +receives an autokey packet that fails TEST9, +a crypto failure, +the association is immediately cleared. +This is almost certainly a feature, +but if, in spite of the current recommendation of not using autokey, +you are +.B still +using autokey +.B and +you are seeing this sort of DoS attack +disabling this flag will delay +tearing down the association until the reachability counter +becomes zero. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . +.It Cm unpeer_crypto_nak_early +By default, if +.Xr ntpd 1ntpdmdoc +receives a crypto-NAK packet that +passes the duplicate packet and origin timestamp checks +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery if a server key has changed, +a properly forged and appropriately delivered crypto-NAK packet +can be used in a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . +.It Cm unpeer_digest_early +By default, if +.Xr ntpd 1ntpdmdoc +receives what should be an authenticated packet +that passes other packet sanity checks but +contains an invalid digest +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery, +if this type of packet is carefully forged and sent +during an appropriate window it can be used for a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . .El .It Ic includefile Ar includefile This command allows additional configuration commands |