diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426	2016-11-21 16:14:42.804048665 +0100
+++ ntp-4.2.6p5/ntpd/ntp_proto.c	2016-11-21 17:32:45.619107824 +0100
@@ -473,30 +473,7 @@ receive(
 	}
 
 	/*
-	 * Update the MRU list and finger the cloggers. It can be a
-	 * little expensive, so turn it off for production use.
-	 */
-	restrict_mask = ntp_monitor(rbufp, restrict_mask);
-	if (restrict_mask & RES_LIMITED) {
-		sys_limitrejected++;
-		if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
-		    hismode || MODE_SERVER == hismode)
-			return;			/* rate exceeded */
-
-		if (hismode == MODE_CLIENT)
-			fast_xmit(rbufp, MODE_SERVER, skeyid,
-			    restrict_mask);
-		else
-			fast_xmit(rbufp, MODE_ACTIVE, skeyid,
-			    restrict_mask);
-		return;				/* rate exceeded */
-	}
-	restrict_mask &= ~RES_KOD;
-
-	/*
-	 * We have tossed out as many buggy packets as possible early in
-	 * the game to reduce the exposure to a clogging attack. now we
-	 * have to burn some cycles to find the association and
+	 * now we have to burn some cycles to find the association and
 	 * authenticate the packet if required. Note that we burn only
 	 * MD5 cycles, again to reduce exposure. There may be no
 	 * matching association and that's okay.
@@ -519,6 +496,27 @@ receive(
 	NTOHL_FP(&pkt->xmt, &p_xmt);
 
 	/*
+	 * Update the MRU list and finger the cloggers. It can be a
+	 * little expensive, so turn it off for production use.
+	 */
+	restrict_mask = ntp_monitor(rbufp, restrict_mask);
+	if (restrict_mask & RES_LIMITED && retcode == AM_FXMIT) {
+		sys_limitrejected++;
+		if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
+		    hismode || MODE_SERVER == hismode)
+			return;			/* rate exceeded */
+
+		if (hismode == MODE_CLIENT)
+			fast_xmit(rbufp, MODE_SERVER, skeyid,
+			    restrict_mask);
+		else
+			fast_xmit(rbufp, MODE_ACTIVE, skeyid,
+			    restrict_mask);
+		return;				/* rate exceeded */
+	}
+	restrict_mask &= ~RES_KOD;
+
+	/*
 	 * Authentication is conditioned by three switches:
 	 *
 	 * NOPEER  (RES_NOPEER) do not mobilize an association unless
@@ -940,6 +938,10 @@ receive(
 	case AM_NEWPASS:
 		if (!AUTH(sys_authenticate | (restrict_mask &
 		    (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
+			if (restrict_mask & RES_LIMITED) {
+				sys_limitrejected++;
+				return;
+			}
 
 			/*
 			 * If authenticated but cannot mobilize an