[Pool] Server Abuse
Miguel Barbosa Gonçalves
m at mbg.pt
Sat Apr 4 20:26:33 UTC 2015
I've added a server I own to the pool some weeks ago. The traffic level is
perfectly acceptable for the connectivity of the server. I am seeing around
400 packets-per-second when serving only NTP traffic.
Today, I decided to capture the traffic with tcpdump and analyse it. I was
a bit shocked...
- Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1. This is
a 292 second period.
- During this period my server saw 76039 different IP addresses.
- The IP addresses with the biggest number of queries were
The first 5 belong to the same entity. They queried my server 9255 times in
292 seconds. This is 31 queries per second! The first IP address contacted
my server 6.79 times per second.
I find this bad, very bad in fact. So, I added a rule in my firewall so
that there only can be one state per IP address. The UDP timeout in my
firewall is around 30 seconds so this limits the clients to one connection
every 30 seconds.
I believe well behaved clients won't notice but these abusers will soon see
What do you think about this?
More information about the pool