[Pool] Server Abuse

Rob Janssen rob at knoware.nl.eu.org
Sun Apr 5 08:15:33 UTC 2015

Miguel Barbosa Gonçalves wrote:
> The first 5 belong to the same entity. They queried my server 9255 times in
> 292 seconds. This is 31 queries per second! The first IP address contacted
> my server 6.79 times per second.
> I find this bad, very bad in fact. So, I added a rule in my firewall so
> that there only can be one state per IP address. The UDP timeout in my
> firewall is around 30 seconds so this limits the clients to one connection
> every 30 seconds.

There are different kinds of abusers.  One possible cause for such query rates is that these
are in fact NAT routers that serve a large number of systems, each making their NTP queries
at an acceptable rate but together sending traffic at such high rates.  Of course the admin
should setup a local NTP server, sync that to the pool, and refer the internal clients to that
server.  But admins think that is too much work, the way they do it now "just works".
Of course it would be less of a problem when there would be a large number of servers in
the .pt area.

Another kind is the jerk that just want to break things.  With the size of internet today, there
always are a large number of jerks even when it is only a small percentage of users.  Not
much that can be done about it, the jerk does not even have to be at the location the whois
points to because there are so many incompetent ISPs out there that do not perform source
address filtering (BCP 38).  They may be trying to DDOS the people that you think are the

A third kind is the broken NTP client.  Unfortunately for you, there are clients that increase
the query rate when they get little or no response.  So, when you rate limit the requests,
the rate actually *increases* to make up for it.  So be very careful when doing rate limiting
and always monitor the effect of it.


More information about the pool mailing list