Maximum reply size? Megabytes?

It has been claimed that NTPd can send responses that are several MEGABYTES.

To the best of my knowledge, #define MAXMONMEM 600 In the source means that monlist can return no more than 600 entries. Therefore the maximum monlist reply would be several kilobytes. Does anyone know of any ntp reply that can be several megabytes?

monlist might be limited to 600, but mrulist most definitely isn’t…

Feel free to run ntpq -c mrulist on your machine and prepare to sit and wait… I stopped mine that got to over 65,000 entries while I was typing this reply…

Though mrulist requires a nonce to prevent spoofing.

Why for you ask?

I ask because of what you had hinted at, spoofing. A professor at a well-known university that teaches network security states that one can do an amplification attack by spoofing and getting replies that are several megabytes. I’ve requested more info; haven’t received a reply.

He’s probably talking about monlist. That was the big NTP amplification attack back in the day, if there was anything new I would have expected it to have been published / fixed.

Hackers are most of the time ahead of the security squad :wink:

Yeah but this is a college professor… Academia wouldn’t hold something like that back.

there are a lot of old manuals for configuring ntp on the internet. And there are no guidelines for setting up servers specially for the pool/highload. How many servers you should use and what servers are good? Do you need monlist enabled? Some server owners may use the monlist, others may not. There is no configuration consistency and many controversial issues.

Hi, there are some guidelines on this page and the linked “configuration recommendations” page: