[Pool] Prevent packet storm

der Mouse mouse at Rodents-Montreal.ORG
Thu Mar 24 17:12:34 UTC 2011


> since some days i have a public ntp server in the pool.  Today i
> discovered that ntpd was using around 5% CPU power and found a
> constant packet flow of around 500..1000 packets per second from a
> single IP address.

Such things have been noticed and remarked on before.

> Any hints how to deal with this beside dropping them by iptables?

That's basically what I do (well, muttais mutandis - I don't use Linux
and the software doing the blocking isn't stock even for the OS I do
use): send me more NTP traffic than some fixed rate I don't know
precisely but is somewhere close to one packet every 11 seconds, and
keep it up for too long, and my software will block you at my border.
("Too long" is variable depending on the rate; it can be as little as
251 packets and it can be arbitrary long if you exceed the threshold
rate by little enough - I keep a value that decays exponentially with
time and is incremented every packet, and if it gets too high the block
goes up.  The decay constant, the threshold, and the increment combine
to determine the exact numbers.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list