[Pool] Prevent packet storm

Andy Fletcher andy at x31.com
Thu Mar 24 17:00:52 UTC 2011


On 03/24/2011 02:46 PM, lst_hoe02 at 79365-rhs.de wrote:
> Hello
> 
> since some days i have a public ntp server in the pool. Today i
> discovered that ntpd was using around 5% CPU power and found a constant
> packet flow of around 500..1000 packets per second from a single IP
> address.
> 
> Any hints how to deal with this beside dropping them by iptables

iptables is the way to go but you don't need to hardcode their address
but use the recent module to drop any packets from offenders who exceed
a given number of packed per second averaged over a period. After a
while they will give up and try a different server.

This has the advantage that it self resets once they get below the
threshold, the two lines below will do this (adjust -i to match your
interface)

iptables -A INPUT -i eth0 -p udp -m udp --dport 123  \
-m recent --set --name NTPTRAFFIC --rsource

iptables -A INPUT -i eth0 -p udp -m udp --dport 123  \
-m recent --update --seconds 60 --hitcount 7 \
--name NTPTRAFFIC --rsource -j DROP

You can view the connecting hosts by looking at the conntrack table:

cat /proc/net/ip_conntrack | grep dport=123

And you can see what sort of performance you are getting by looking at
the iptables stats

iptables -n -L -v  | grep 123

I've been running it for a while on a server in Amsterdam and the
abusive clients disappeared almost instantly. If I check now it shows
very few attempts:

iptables -n -L -v  | grep 123

1038K   79M DROP       udp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           udp dpt:123 state NEW recent: UPDATE seconds: 60
hit_count: 7 name: NTPTRAFFIC side: source
  74M 5613M            udp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           udp dpt:123 state NEW recent: SET name: NTPTRAFFIC
side: source

But I'm serving a lot of ntp clients (over 5k in the last minute):

cat /proc/net/ip_conntrack | grep dport=123 | wc -l
5615


There is a balance in conntrack table size and count period.  A limit of
7 packets in one minute for a client appears to work well and allows
clients to use iburst without being dropped.

I'd love to hear comments on this.

regards

Andy


More information about the pool mailing list