[ntp:questions] NTPD concurrent clients limit

[Unruh]

"Richard B. Gilbert" <rgilbert88 at comcast.net> writes:

>Unruh wrote:
>> "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>> 
>>> j. wrote:
>>>> Hi all,
>>>> I'm testing an embedded linux device, which implement an NTP server,
>>>> based on the ntpd demon.
>>>> It looks like ntpd accepts only a limited number of requests from a
>>>> test clientIi've set up.
>>>> Do you know if there's such limit or what's the logic behind it?
>>>> Maybe ntpd rejects bursts of requests coming from the same IP?
>>>>
>>>> Thanks in advance,
>>>> Gianandrea Gobbo.
>> 
>>> If you poll the server continuously at intervals of less than 64 
>>> seconds, most modern NTP servers will send you a "Kiss of Death" packet.
>>> Polling this frequently is considered abusive!  It's also unnecessary, 
>>> NTP is designed to work with poll intervals between 64 seconds and 1024 
>>> seconds and will adjust its poll interval within that range as needed.
>> 
>> His question can be rephrased, what does ntpd do after it has sent the Kiss of Death?
>> does it drop all subsequent packets? -- That sounds like a huge cost on the
>> ntp server-- ie imagine a popular server with 10,000 machines it has sent
>> the KoD to. It then has to scan that whole list for each packet to see if
>> it is in there-- something which takes time and destroys the ability of ntp
>> to deliver its time base rapidly.
>> 
>> Note that how ntpd handles this situation depends on which version of ntpd
>> you are running. 
>> 
>> 
>> 
>>> There are two exceptions to the above.  You may specify the "iburst" 
>>> keyword for a server and NTPD will send an INITIAL burst of eight 
>>> request packets at intervals of two seconds.  This is designed for fast 
>>> startup.  After the initial burst, polling continues at intervals 
>>> between 64 and 1024 seconds.
>> 
>> So how does the server know whether this burst is an iburst or is a rogue
>> client to which it should send a KoD?

>Ntpd keeps a list of its clients.  It should be able to tell if a 
>particular client is initializing or is abusing the server.

And how would it tell? And how DOES it tell ( since there is a lot that
could have been programed in and wasn't). And why would it keep a list of
its clients. That could mean it would have to keep a lost of 1000000
clients,  and how does it prune the list? And how does it check that the
latest request is from an abuser, from a newcomer, or from a good guy?