A flaw was found in the way NTP handled rate limiting. An attacker able to send a large number of crafted requests to an NTP server could trigger the rate limiting on that server, and prevent clients from getting a usable reply from the server. The default NTP configuration in Red Hat Enterprise Linux does not enable rate limiting. External References: https://www.cs.bu.edu/~goldbe/NTPattack.html
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1296166]
While mitigating this particular issue by adding a log message into the log files, the upstream fix may have inadvertently introduced a new issue that could fill up all log files. The correct fix for this issue is randomized response rate limiting. However, implementing this issue would radically change the way limiting works in NTP and could potentially break other application's functionality relying on this feature currently. An additional, less intrusive fix for this issue may be developed at a later time and included in later releases of Red Hat Enterprise Linux. Rate limiting is by default disabled in the ntp packages shipped in Red Hat Enterprise Linux. To specifically disable rate limiting, use the following workaround. Mitigation: Do not add the "limited" configuration option to any restrict lines in the ntp.conf file.