[Pool] Server Abuse

Miguel Barbosa Gonçalves m at mbg.pt
Sat Apr 4 20:26:33 UTC 2015


Hi!

I've added a server I own to the pool some weeks ago. The traffic level is
perfectly acceptable for the connectivity of the server. I am seeing around
400 packets-per-second when serving only NTP traffic.

Today, I decided to capture the traffic with tcpdump and analyse it. I was
a bit shocked...

- Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1.  This is
a 292 second period.

- During this period my server saw 76039 different IP addresses.

- The IP addresses with the biggest number of queries were

1984 193.236.92.137
1847 193.236.92.138
1846 193.236.92.145
1800 193.236.92.144
1778 193.236.92.141
1278 84.90.0.142
1258 212.55.172.9
1248 193.236.92.135
1234 212.55.181.167

The first 5 belong to the same entity. They queried my server 9255 times in
292 seconds. This is 31 queries per second! The first IP address contacted
my server 6.79 times per second.

I find this bad, very bad in fact. So, I added a rule in my firewall so
that there only can be one state per IP address. The UDP timeout in my
firewall is around 30 seconds so this limits the clients to one connection
every 30 seconds.

I believe well behaved clients won't notice but these abusers will soon see
no responses.

What do you think about this?

Cheers,
Miguel


More information about the pool mailing list