Full Client Control Panel Applet - Security Settings Tab

Denial of Service (Flooding) Protection

DoS attacks are attempts to disable your system's operation by flooding the system with bogus and/or malformed messages. Domain Time II protects against these kind of attacks by not allowing any system to monopolize its resources. When DoS protection is enabled, any system that exceeds the DoS traffic thresholds you specify has its access automatically blocked for a period of time.

DoS Protection Enabled
DoS protection is enabled when this box is checked. This is the default.

If any one machine sends more than requests in a -second period,
Domain Time should stop responding to that machine for seconds
These fields allow you to specify what level of traffic the client should consider as a DoS attack, and also how long to suspend communication from the offending machine.

The default settings should be sufficient for most applications, however, you may wish to adjust them if you have different traffic security requirements.

Access Permissions

Your time service can potentially be interfered with if you are automatically discovering and/or receiving time signals from unwanted time servers.

To prevent this kind of problem, you may specify whether Domain Time should accept or reject time protocol traffic from certain IP addresses. You can specify whether to Permit or Deny traffic from multiple ranges of addresses. This allows you to easily restrict your time traffic to come only from the systems you intend.

If you wish to permit or deny a single IP address, enter it as both the First and Last IP address in the range.

No restrictions is the default setting.

These values can also be preset using the DOMTIME.INI template file.

Advanced - Command Restrictions

The Domain Time II Full Client - Command Restrictions Page

The default protocol restriction settings assure both maximum functionality and a high degree of security; in most cases you will have no need to adjust them from the defaults. Domain Time II components communicate with each other primarily through directed communication, and are therefore highly resistant to spoofing and malign interference.

The Domain Time II protocol command restriction capability is intended for use by system administrators in environments where an extra level of security is required, such as running a Client on the open Internet. Using the restrictions list, you can determine exactly what Domain Time II protocol command messages the service is allowed to listen for. Think of the command restriction list as an application-level "firewall" allowing in only the desired Domain Time II commands and blocking any others. Keep in mind that the restriction list only affects incoming DTII protocol commands - outgoing commands are not affected.

Warning:

---

Disabling protocol commands can have unintended consequences on the operation of your entire time distribution network, including the prevention of cascade triggers and sync notifications, which may result in inaccurate clocks. Problems resulting from disabled protocol messages can be quite hard to troubleshoot later, particulary by the next system administrator after you. Make adjustments only if you understand and require them, and be sure you document the changes so you can maintain the consistency and smooth operation of your time network.

---

• Working across subnets
• How Domain Time II distributes time
• How to implement Domain Time II on your network
• More information about time protocols and accuracy
• When to use Heartbeats and NTP Broadcasts

 Proceed to the Log Settings page

 Back to the Time Sources page