[Pool] Server Abuse

Michael Meier michael.meier at fau.de
Sun Apr 5 07:02:11 UTC 2015


On 04/04/2015 10:26 PM, Miguel Barbosa Gonçalves wrote:
> I've added a server I own to the pool some weeks ago. The traffic level is
> perfectly acceptable for the connectivity of the server. I am seeing around
> 400 packets-per-second when serving only NTP traffic.
> Today, I decided to capture the traffic with tcpdump and analyse it. I was
> a bit shocked...
> The first 5 belong to the same entity. They queried my server 9255 times in
> 292 seconds. This is 31 queries per second! The first IP address contacted
> my server 6.79 times per second.

A few very abusive clients are not a rare sight.
The solution is to implement rate limiting on NTP and/or the firewall.
We even have a munin-graph showing packets dropped due to exceeding our
(generous) rate limit, the one for our most used server is attached.
Note that we have the same limits and graphs for IPv6, and so far there
haven't been excessive requests on IPv6.
I think in most cases these clients don't even have bad intentions. It's
probably mostly situations like N hosts behind NAT that started up at
almost the same time and therefore got the same "random" pool servers
from DNS.

> I find this bad, very bad in fact. So, I added a rule in my firewall so
> that there only can be one state per IP address. The UDP timeout in my
> firewall is around 30 seconds so this limits the clients to one connection
> every 30 seconds.

By that you hopefully mean more than one packet per source every 30
seconds, because there may be a few in a row on NTP startup. Also,
"state" and UDP are two things that generally do not mix very well...

Now for something related: We've seen a big increase in clients/requests
on all our pool servers since Friday, March 13th - is anyone else seing
this?
-- 
Michael Meier, Zentrale Systeme
Friedrich-Alexander-Universitaet Erlangen-Nuernberg
Regionales Rechenzentrum Erlangen
Martensstrasse 1, 91058 Erlangen, Germany
Tel.: +49 9131 85-28973, Fax: +49 9131 302941
michael.meier at fau.de
www.rrze.fau.de


More information about the pool mailing list