[Pool] Prevent packet storm
davehart at gmail.com
Thu Mar 24 17:49:44 UTC 2011
On Thu, Mar 24, 2011 at 11:46 AM, <lst_hoe02 at 79365-rhs.de> wrote:
> since some days i have a public ntp server in the pool. Today i discovered
> that ntpd was using around 5% CPU power and found a constant packet flow of
> around 500..1000 packets per second from a single IP address.
Please share the IP address so others can keep an eye out for similar
abuse against their pool servers.
> Any hints how to deal with this beside dropping them by iptables?
dropping at a firewall (whether upstream on host-based) will prevent
ntpd from wasting CPU, but ntpd alone has a few relevant knobs.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
kod does nothing without limited. Add limited to your default
restrictions and ntpd will provide time service no more than once
every 2s (default, see html/ docs for "discard minimum" to adjust):
> restrict -4 default limited kod notrap nomodify nopeer noquery
> restrict -6 default limited kod notrap nomodify nopeer noquery
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
# previous abusers get nothing (replace 220.127.116.11 with the abuser's IP address)
restrict 18.104.22.168 ignore
# if their address varies within a subnet (use whois to determine the
netblock and mask)
restrict 22.214.171.124 mask 255.255.255.0 ignore
More information about the pool