[time] Host querying itself?

Kim B. Sindalsen admin
Mon Dec 4 19:24:45 UTC 2006 

(Seems like this msg. didn't make it to the list - my follow-up and a reply to the follow-up arrived but this msg. didn't, so trying again)

Hi,

I?ve recently set up a ntp-server (ntp.vlh.dk) and added it to the pool and beside an alarming offset of about 400ms recently (http://stats.vlh.dk) it seems to be working quite well.

Now I?ve then started collecting some stats using the script found here: http://www.schlitt.net/scripts/ntp/

This revealed something that I surely didn?t expect to see.

The server itself (10.0.1.1) is listed as the top-requesting client, producing about 25% of the total requests ? I?m sure that?s not meant to be so, or am I wrong?

Close followed by a server producing ~20% of the requests ? I?m not troubled by the amount of traffic created (as of now anyway ?), but I might investigate methods to block heavy abusers. (btw. The rate in the stats is requests per second?).
What are my options of auto-ignoring clients that goes below ie. 30secs (what?s the ?standard? value).


Below is a snippet of the stats collected by the scripts:

Estimated active ntp pool clients:       550
Estimated abusive ntp pool clients:       14
Estimated inactive ntp pool clients:   34277
Total ntp pool clients being tracked:  34827
Note: NTP is a stateless and connectionless (UDP based) protocol, so
      exact numbers can't be determined.

  1374759 ntp requests, in total, have been seen since 12/02/06 18:53:47
   349846 (25.4%) are from clients that are still active.
Long term request rate:  0.123 seconds between requests  (8.13 req/sec)
Long term bandwidth in:  0.604 KBytes/s    4.829 Kbits/s
Long term bandwidth in:  1.492 GB/month   11.938 Gb/month
Current request rate:  0.268 seconds between requests  (3.73 req/sec)
Current bandwidth in:  0.277 KBytes/s    2.215 Kbits/s
Current bandwidth in:  0.684 GB/month    5.474 Gb/month
(NTP packets are usually 76 bytes, UDP overhead included, in each direction.)

The dump file was written 14 seconds ago, at 12/04/06 17:50:51

Subnets with many clients:
# of     Subnet       Total  Aggregate  Abusive
 IPs                  Count    Rate     Clients
   5 195.137.237.x      392   216.341       0

Clients with rapid updates (min requests of 100):
Rank    First Seen         Client IP     Requests    Rate    Usage  Cumulative
  1  12/02/06 18:53:47   10.0.1.1           87104     1.30  24.90%  24.90% * !
  2  12/03/06 06:18:17   85.214.39.135      65143     1.90  18.62%  43.52% * !
  3  12/02/06 18:54:02   130.226.165.136    19156     8.54   5.48%  48.99% * !
  4  12/02/06 18:53:54   63.72.140.8        10411    16.01   2.98%  51.97% * !
  5  12/02/06 18:55:15   69.140.110.134      9483    16.01 ( 2.64%)
  6  12/02/06 18:54:03   89.233.255.59       8651    13.92   2.47%  54.44% * !
  7  12/02/06 18:53:57   83.92.234.227       7315    28.04   2.09%  56.53% * !
  8  12/04/06 09:50:01   82.242.97.173       6398     3.70   1.83%  58.36% * !
  9  12/03/06 08:57:08   81.29.64.229        6216    31.81   1.78%  60.14% * !
 10  12/02/06 18:54:13   200.55.209.18       5507    30.35   1.57%  61.71% *
 11  12/02/06 18:54:10   88.160.185.2        5481    30.10   1.57%  63.28% *
 12  12/02/06 20:48:37   83.151.37.122       4991    30.03 ( 1.41%)
 13  12/04/06 09:50:01   62.212.122.131      4809     5.07   1.37%  64.65% * !
 14  12/02/06 18:54:03   87.198.194.50       4276    25.57   1.22%  65.88% *
 15  12/03/06 03:27:38   69.49.140.70        3214    41.62   0.92%  66.80% *
 16  12/03/06 03:54:11   74.225.41.189       3117    52.58   0.89%  67.69% *
 17  12/03/06 21:18:14   85.24.138.175       2253    32.09   0.64%  68.33% *
 18  12/04/06 12:05:48   212.239.176.86      2093     9.50   0.60%  68.93% * !
 19  12/03/06 20:37:07   87.225.240.22       1759    43.44   0.50%  69.43% *
 20  12/04/06 09:32:49   82.70.125.166       1647    16.02   0.47%  69.90% * !
 21  12/04/06 09:42:00   83.169.161.142      1305    35.72   0.37%  70.28% * !
 22  12/04/06 12:23:52   85.235.252.105      1038    14.78   0.30%  70.57% * !
 23  12/04/06 09:37:23   63.105.27.11         952    30.38   0.27%  70.84% *
 24  12/04/06 09:48:49   125.238.1.68         810    32.24   0.23%  71.08% *
 25  12/04/06 09:54:52   24.108.189.82        809    15.34 ( 0.23%)
 26  12/04/06 09:28:03   213.87.86.60         640    39.77 ( 0.18%)
 27  12/03/06 22:14:25   80.63.183.2          498    16.39 ( 0.14%)
 28  12/04/06 09:38:35   196.33.246.18        494    42.38 ( 0.14%)
 29  12/04/06 13:26:32   84.61.171.147        487    31.94   0.14%  71.21% *
 30  12/04/06 14:48:54   217.148.122.38       469     4.60 ( 0.13%)
 31  12/04/06 15:05:18   212.65.243.107       442    15.93   0.13%  71.34% * !
 32  12/04/06 15:15:06   88.232.120.17        414     1.59 ( 0.12%)
 33  12/04/06 10:34:43   140.78.96.30         380    32.02 ( 0.11%)
 34  12/04/06 07:53:17   83.151.156.92        377     7.91 ( 0.11%)
 35  12/04/06 15:16:44   85.99.54.121         369     2.16 ( 0.11%)
 36  12/04/06 07:40:13   192.38.227.98        365    15.95 ( 0.10%)
 37  12/04/06 14:58:11   85.104.80.125        264     2.61 ( 0.08%)
 38  12/04/06 16:16:58   130.226.31.81        231     5.08 ( 0.07%)
 39  12/04/06 14:56:04   194.29.45.157        165    13.46 ( 0.05%)
 40  12/04/06 15:05:22   86.135.163.244       162    14.60 ( 0.05%)
 41  12/04/06 15:12:08   84.186.91.234        137    16.52 ( 0.04%)
 42  12/04/06 15:17:18   193.68.24.46         117    20.57 ( 0.03%)
 43  12/04/06 14:42:34   217.148.123.27       100    23.46 ( 0.03%)
* = "active"  = probably will send another request.
! = "abusive" = min requests of 100 and an average rate of less than 30s
                between requests over the life of the entire connection.

-erialor

More information about the pool mailing list