[ntp:questions] NTPD concurrent clients limit

Unruh unruh-spam at physics.ubc.ca
Thu Jul 31 16:40:13 UTC 2008

"David L. Mills" <mills at udel.edu> writes:


>The ntpd does keep a most-recently--used list and has for almost twenty 
>years. It has been used by NIST, USNO and here to find and punish 
>abusers. See the papers referenced on the NTP project page. The most 
>interesting case was finding the abusers in a flood of 3000 packets per 
>second with three load-balanced servers.

How long is the list? 


>Unruh wrote:

>> "Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>Unruh wrote:
>>>>"Richard B. Gilbert" <rgilbert88 at comcast.net> writes:
>>>>>j. wrote:
>>>>>>Hi all,
>>>>>>I'm testing an embedded linux device, which implement an NTP server,
>>>>>>based on the ntpd demon.
>>>>>>It looks like ntpd accepts only a limited number of requests from a
>>>>>>test clientIi've set up.
>>>>>>Do you know if there's such limit or what's the logic behind it?
>>>>>>Maybe ntpd rejects bursts of requests coming from the same IP?
>>>>>>Thanks in advance,
>>>>>>Gianandrea Gobbo.
>>>>>If you poll the server continuously at intervals of less than 64 
>>>>>seconds, most modern NTP servers will send you a "Kiss of Death" packet.
>>>>>Polling this frequently is considered abusive!  It's also unnecessary, 
>>>>>NTP is designed to work with poll intervals between 64 seconds and 1024 
>>>>>seconds and will adjust its poll interval within that range as needed.
>>>>His question can be rephrased, what does ntpd do after it has sent the Kiss of Death?
>>>>does it drop all subsequent packets? -- That sounds like a huge cost on the
>>>>ntp server-- ie imagine a popular server with 10,000 machines it has sent
>>>>the KoD to. It then has to scan that whole list for each packet to see if
>>>>it is in there-- something which takes time and destroys the ability of ntp
>>>>to deliver its time base rapidly.
>>>>Note that how ntpd handles this situation depends on which version of ntpd
>>>>you are running. 
>>>>>There are two exceptions to the above.  You may specify the "iburst" 
>>>>>keyword for a server and NTPD will send an INITIAL burst of eight 
>>>>>request packets at intervals of two seconds.  This is designed for fast 
>>>>>startup.  After the initial burst, polling continues at intervals 
>>>>>between 64 and 1024 seconds.
>>>>So how does the server know whether this burst is an iburst or is a rogue
>>>>client to which it should send a KoD?
>>>Ntpd keeps a list of its clients.  It should be able to tell if a 
>>>particular client is initializing or is abusing the server.
>> And how would it tell? And how DOES it tell ( since there is a lot that
>> could have been programed in and wasn't). And why would it keep a list of
>> its clients. That could mean it would have to keep a lost of 1000000
>> clients,  and how does it prune the list? And how does it check that the
>> latest request is from an abuser, from a newcomer, or from a good guy?

More information about the questions mailing list