[ntp:questions] [Pool] 4000 packets a second?
David L. Mills
mills at udel.edu
Wed Sep 1 00:42:40 UTC 2010
Did you intend the discard minimum 0? That effectively disables the rate
control defense mechanism. you should leave it out.
Dave Hart wrote:
>On Mon, Aug 30, 2010 at 20:12 UTC, Scott Baker <bakers at canbytel.com> wrote:
>>My server was getting 4000 requests every 5 seconds from a 184.108.40.206.
>>I was able to block that IP at our upstream router. Is there a better way
>>(with NTPd) to block something like that?
>A pool server I'm involved with uses:
>discard minimum 0
>restrict default limited kod notrap nomodify
>With versions of ntpd older than 4.2.6, you should also add:
>restrict -6 default limited kod notrap nomodify
>to apply the same default restrictions to both IPv4 and IPv6 clients.
>In any case, you will also want relaxed restrictions covering at least
>localhost and possibly some local subnets:
>By default, ntpd enforces no rate limiting. If the applicable
>restrict line for a given client contains "limited", basic rate
>limiting is enforced, controlled by the "discard minimum" and "discard
>average" knobs .
>Be aware that if you enable rate limiting, the default "discard
>minimum 1" degrades service to ntpdate clients, which send the next
>request as soon as they receive the prior response with no regard to
>rate limiting. The very newest 4.2.7 versions of ntpdate rate-limit
>requests to stay under the ntpd defaults, but to provide better
>service to older ntpdate, "discard minimum 0" lowers the minimum time
>allowed between requests from a single IP to 1s from 2s default.
>ntpdate can work with only one response out of four tries, but more
>responses are better.
>You can monitor the rate limiting in action using "ntpdc -c sysstats",
>or, with a 4.2.7 ntpq and ntpd, "ntpq -c sysstats" which adds a KoDs
>sent counter compared to its ntpdc equivalent. "ntpdc -c monlist" (or
>on 4.2.7 or later, "ntpq -c mrulist") might also provide insight.
>Speaking of KoDs, they not sent by default. The source IP's matching
>restrict line must have _both_ "limited" and "kod" for Kiss-O'Death
>responses to emit, as the KoD code is never reached unless
>questions mailing list
>questions at lists.ntp.org
More information about the questions