[Pool] OT: how much traffic is too much? (was Re: From which IP addresses is going monitoring activity?)

Mouse mouse at Rodents-Montreal.ORG
Thu Sep 22 14:09:16 UTC 2011

>> The real problems aren't from someone polling every 500 seconds, or
>> even every minute--

Indeed, I usually see ntpd poll every 64 seconds for a while on

>> it's the folks sending a query every second because their config or
>> firewall is busted.
> This might already be answered somewhere in a FAQ, but, why is even
> that too much?  The NTP traffic I see never goes over 5-6 kbps, and
> the daemon should be able to handle at least 20 times more than that.
> So, is there a reason to ban anyone who isn't sending something like
> 100pps?

I have software set up to block, at my border router, anyone pounding
too hard on my NTP port, and, speaking purely personally, there are two

One is that NTP already takes up a significant fraction of my netlink,
even with the autobans.  Every kilobit helps.  (The ban actually
happens on the wrong end of my netlink at the moment, but it at least
eliminates the return traffic.)  Note that no single abuser may be all
that egregious, but, in the aggregate, they make a difference.

The other is negative pressure against misbehaviour, in the
evolutionary sense.  If abusers find NTP doesn't work well for them,
they may stop.

(What is my "too much" threshold?  It's not a hard "more than this many
pps is too much"; what I have is, conceptually, a per-IP counter which
is incrememnted by 1 for every packet and decays exponentially at a
rate that gives it a half-life of half an hour.  If it goes over a
fixed value - 750, for NTP - the ban trips.  Considering only steady
traffic rates, this is somewhere around 3.465 seconds between packets,
but it's more tolerant of bursts than a simple packets-per-$TIME

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

More information about the pool mailing list