[Pool] Server Abuse

Robert Gray bob at graynz.net
Sun Apr 5 06:15:48 UTC 2015


Thanks Miguel

Not something I'd thought to look at before but I found different addresses
but the same result - a small number of originating high traffic IP
addresses.

Rate limiting seems a simple and obvious response unless there is a
legitimate reason for this behaviour that I am unaware of?

Robert Gray

On 5 April 2015 at 08:26, Miguel Barbosa Gonçalves <m at mbg.pt> wrote:

> Hi!
>
> I've added a server I own to the pool some weeks ago. The traffic level is
> perfectly acceptable for the connectivity of the server. I am seeing around
> 400 packets-per-second when serving only NTP traffic.
>
> Today, I decided to capture the traffic with tcpdump and analyse it. I was
> a bit shocked...
>
> - Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1.  This is
> a 292 second period.
>
> - During this period my server saw 76039 different IP addresses.
>
> - The IP addresses with the biggest number of queries were
>
> 1984 193.236.92.137
> 1847 193.236.92.138
> 1846 193.236.92.145
> 1800 193.236.92.144
> 1778 193.236.92.141
> 1278 84.90.0.142
> 1258 212.55.172.9
> 1248 193.236.92.135
> 1234 212.55.181.167
>
> The first 5 belong to the same entity. They queried my server 9255 times in
> 292 seconds. This is 31 queries per second! The first IP address contacted
> my server 6.79 times per second.
>
> I find this bad, very bad in fact. So, I added a rule in my firewall so
> that there only can be one state per IP address. The UDP timeout in my
> firewall is around 30 seconds so this limits the clients to one connection
> every 30 seconds.
>
> I believe well behaved clients won't notice but these abusers will soon see
> no responses.
>
> What do you think about this?
>
> Cheers,
> Miguel
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool
>


More information about the pool mailing list