From ab99373cfcd01be5541c39213c6d58294dc46bac Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 3 Jan 2017 12:05:43 +0100 Subject: [PATCH] conf: change default rate limiting parameters Change the default NTP rate limiting leak to 2 (25%). Change the default command rate limiting interval to -4 (16 packets per second) and burst to 8, so the interval is the only difference between NTP and command rate limiting defaults. --- conf.c | 6 +++--- doc/chrony.conf.adoc | 23 ++++++++++++----------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/conf.c b/conf.c index 7500fd9..5de7f42 100644 --- a/conf.c +++ b/conf.c @@ -194,10 +194,10 @@ static char *pidfile; static int ntp_ratelimit_enabled = 0; static int ntp_ratelimit_interval = 3; static int ntp_ratelimit_burst = 8; -static int ntp_ratelimit_leak = 3; +static int ntp_ratelimit_leak = 2; static int cmd_ratelimit_enabled = 0; -static int cmd_ratelimit_interval = 1; -static int cmd_ratelimit_burst = 16; +static int cmd_ratelimit_interval = -4; +static int cmd_ratelimit_burst = 8; static int cmd_ratelimit_leak = 2; /* Smoothing constants */ diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc index d7710ad..f1b5f0e 100644 --- a/doc/chrony.conf.adoc +++ b/doc/chrony.conf.adoc @@ -1238,9 +1238,10 @@ in any order): *interval*::: This option sets the minimum interval between responses. It is defined as a power of 2 in seconds. The default value is 3 (8 seconds). The minimum value -is -19 and the maximum value is 12. Note that with values below -4 the rate -limiting is coarse (responses are allowed in bursts, even if the interval -between them is shorter than the specified interval). +is -19 (524288 packets per second) and the maximum value is 12 (one packet per +4096 seconds). Note that with values below -4 the rate limiting is coarse +(responses are allowed in bursts, even if the interval between them is shorter +than the specified interval). *burst*::: This option sets the maximum number of responses that can be sent in a burst, temporarily exceeding the limit specified by the *interval* option. This is @@ -1252,20 +1253,20 @@ This option sets the rate at which responses are randomly allowed even if the limits specified by the *interval* and *burst* options are exceeded. This is necessary to prevent an attacker who is sending requests with a spoofed source address from completely blocking responses to that address. The leak -rate is defined as a power of 1/2 and it is 3 by default, i.e. on average at -least every eighth request has a response. The minimum value is 1 and the +rate is defined as a power of 1/2 and it is 2 by default, i.e. on average at +least every fourth request has a response. The minimum value is 1 and the maximum value is 4. :: + An example use of the directive is: + ---- -ratelimit interval 4 burst 4 +ratelimit interval 1 burst 16 ---- + -This would reduce the response rate for IP addresses that send packets on -average more frequently than once per 16 seconds or send packets in bursts -of more than 4 packets. +This would reduce the response rate for IP addresses sending packets on average +more than once per 2 seconds, or sending packets in bursts of more than 16 +packets, by up to 75% (with default *leak* of 2). [[smoothtime]]*smoothtime* _max-freq_ _max-wander_ [*leaponly*]:: The *smoothtime* directive can be used to enable smoothing of the time that @@ -1394,8 +1395,8 @@ need to be run with the *-p 257* switch to inter-operate correctly.) [[cmdratelimit]]*cmdratelimit* [_option_]...:: This directive enables response rate limiting for command packets. It is similar to the <> directive, except responses to -localhost are never limited and the default interval is 1 (2 seconds), the default -burst is 16, and the default leak rate is 2. +localhost are never limited and the default interval is -4 (16 packets per +second). + An example of the use of the directive is: +