conf: change default rate limiting parameters
Change the default NTP rate limiting leak to 2 (25%). Change the default command rate limiting interval to -4 (16 packets per second) and burst to 8, so the interval is the only difference between NTP and command rate limiting defaults.
This commit is contained in:
Miroslav Lichvar
parent
dbfb49384b
commit
ab99373cfc
2 changed files with 15 additions and 14 deletions
6
conf.c
6
conf.c
|
|
@ -194,10 +194,10 @@ static char *pidfile;
|
|||
static int ntp_ratelimit_enabled = 0;
|
||||
static int ntp_ratelimit_interval = 3;
|
||||
static int ntp_ratelimit_burst = 8;
|
||||
static int ntp_ratelimit_leak = 3;
|
||||
static int ntp_ratelimit_leak = 2;
|
||||
static int cmd_ratelimit_enabled = 0;
|
||||
static int cmd_ratelimit_interval = 1;
|
||||
static int cmd_ratelimit_burst = 16;
|
||||
static int cmd_ratelimit_interval = -4;
|
||||
static int cmd_ratelimit_burst = 8;
|
||||
static int cmd_ratelimit_leak = 2;
|
||||
|
||||
/* Smoothing constants */
|
||||
|
|
|
|||
|
|
@ -1238,9 +1238,10 @@ in any order):
|
|||
*interval*:::
|
||||
This option sets the minimum interval between responses. It is defined as a
|
||||
power of 2 in seconds. The default value is 3 (8 seconds). The minimum value
|
||||
is -19 and the maximum value is 12. Note that with values below -4 the rate
|
||||
limiting is coarse (responses are allowed in bursts, even if the interval
|
||||
between them is shorter than the specified interval).
|
||||
is -19 (524288 packets per second) and the maximum value is 12 (one packet per
|
||||
4096 seconds). Note that with values below -4 the rate limiting is coarse
|
||||
(responses are allowed in bursts, even if the interval between them is shorter
|
||||
than the specified interval).
|
||||
*burst*:::
|
||||
This option sets the maximum number of responses that can be sent in a burst,
|
||||
temporarily exceeding the limit specified by the *interval* option. This is
|
||||
|
|
@ -1252,20 +1253,20 @@ This option sets the rate at which responses are randomly allowed even if the
|
|||
limits specified by the *interval* and *burst* options are exceeded. This is
|
||||
necessary to prevent an attacker who is sending requests with a spoofed
|
||||
source address from completely blocking responses to that address. The leak
|
||||
rate is defined as a power of 1/2 and it is 3 by default, i.e. on average at
|
||||
least every eighth request has a response. The minimum value is 1 and the
|
||||
rate is defined as a power of 1/2 and it is 2 by default, i.e. on average at
|
||||
least every fourth request has a response. The minimum value is 1 and the
|
||||
maximum value is 4.
|
||||
::
|
||||
+
|
||||
An example use of the directive is:
|
||||
+
|
||||
----
|
||||
ratelimit interval 4 burst 4
|
||||
ratelimit interval 1 burst 16
|
||||
----
|
||||
+
|
||||
This would reduce the response rate for IP addresses that send packets on
|
||||
average more frequently than once per 16 seconds or send packets in bursts
|
||||
of more than 4 packets.
|
||||
This would reduce the response rate for IP addresses sending packets on average
|
||||
more than once per 2 seconds, or sending packets in bursts of more than 16
|
||||
packets, by up to 75% (with default *leak* of 2).
|
||||
|
||||
[[smoothtime]]*smoothtime* _max-freq_ _max-wander_ [*leaponly*]::
|
||||
The *smoothtime* directive can be used to enable smoothing of the time that
|
||||
|
|
@ -1394,8 +1395,8 @@ need to be run with the *-p 257* switch to inter-operate correctly.)
|
|||
[[cmdratelimit]]*cmdratelimit* [_option_]...::
|
||||
This directive enables response rate limiting for command packets. It is
|
||||
similar to the <<ratelimit,*ratelimit*>> directive, except responses to
|
||||
localhost are never limited and the default interval is 1 (2 seconds), the default
|
||||
burst is 16, and the default leak rate is 2.
|
||||
localhost are never limited and the default interval is -4 (16 packets per
|
||||
second).
|
||||
+
|
||||
An example of the use of the directive is:
|
||||
+
|
||||
|
|
|
|||
Loading…
Reference in a new issue