[Pool] Prevent packet storm

Dave Hart davehart at gmail.com
Thu Mar 24 17:49:44 UTC 2011


On Thu, Mar 24, 2011 at 11:46 AM,  <lst_hoe02 at 79365-rhs.de> wrote:
> since some days i have a public ntp server in the pool. Today i discovered
> that ntpd was using around 5% CPU power and found a constant packet flow of
> around 500..1000 packets per second from a single IP address.

Please share the IP address so others can keep an eye out for similar
abuse against their pool servers.

> Any hints how to deal with this beside dropping them by iptables?

dropping at a firewall (whether upstream on host-based) will prevent
ntpd from wasting CPU, but ntpd alone has a few relevant knobs.

> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery

kod does nothing without limited.  Add limited to your default
restrictions and ntpd will provide time service no more than once
every 2s (default, see html/ docs for "discard minimum" to adjust):

> restrict -4 default limited kod notrap nomodify nopeer noquery
> restrict -6 default limited kod notrap nomodify nopeer noquery

> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
# previous abusers get nothing (replace 4.3.2.1 with the abuser's IP address)
restrict 1.2.3.4 ignore
# if their address varies within a subnet (use whois to determine the
netblock and mask)
restrict 1.2.3.0 mask 255.255.255.0 ignore

Cheers,
Dave Hart


More information about the pool mailing list