[Pool] Server Abuse
bob at graynz.net
Sun Apr 5 06:15:48 UTC 2015
Not something I'd thought to look at before but I found different addresses
but the same result - a small number of originating high traffic IP
Rate limiting seems a simple and obvious response unless there is a
legitimate reason for this behaviour that I am unaware of?
On 5 April 2015 at 08:26, Miguel Barbosa Gonçalves <m at mbg.pt> wrote:
> I've added a server I own to the pool some weeks ago. The traffic level is
> perfectly acceptable for the connectivity of the server. I am seeing around
> 400 packets-per-second when serving only NTP traffic.
> Today, I decided to capture the traffic with tcpdump and analyse it. I was
> a bit shocked...
> - Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1. This is
> a 292 second period.
> - During this period my server saw 76039 different IP addresses.
> - The IP addresses with the biggest number of queries were
> 1984 184.108.40.206
> 1847 220.127.116.11
> 1846 18.104.22.168
> 1800 22.214.171.124
> 1778 126.96.36.199
> 1278 188.8.131.52
> 1258 184.108.40.206
> 1248 220.127.116.11
> 1234 18.104.22.168
> The first 5 belong to the same entity. They queried my server 9255 times in
> 292 seconds. This is 31 queries per second! The first IP address contacted
> my server 6.79 times per second.
> I find this bad, very bad in fact. So, I added a rule in my firewall so
> that there only can be one state per IP address. The UDP timeout in my
> firewall is around 30 seconds so this limits the clients to one connection
> every 30 seconds.
> I believe well behaved clients won't notice but these abusers will soon see
> no responses.
> What do you think about this?
> pool mailing list
> pool at lists.ntp.org
More information about the pool