[Pool] Server Abuse

Miguel Barbosa Gonçalves m at mbg.pt
Sun Apr 5 11:02:34 UTC 2015


Hi Robert!

2015-04-05 7:15 GMT+01:00 Robert Gray <bob at graynz.net>:

> Thanks Miguel
>
> Not something I'd thought to look at before but I found different
> addresses but the same result - a small number of originating high traffic
> IP addresses.
>
> Rate limiting seems a simple and obvious response unless there is a
> legitimate reason for this behaviour that I am unaware of?
>

Someone suggested that it could be a Carrier Grade NAT box. Well, IMHO,
someone who the money to buy such a thing could very well implement a local
NTP server.

Cheers,
Miguel

On 5 April 2015 at 08:26, Miguel Barbosa Gonçalves <m at mbg.pt> wrote:
>
>> Hi!
>>
>> I've added a server I own to the pool some weeks ago. The traffic level is
>> perfectly acceptable for the connectivity of the server. I am seeing
>> around
>> 400 packets-per-second when serving only NTP traffic.
>>
>> Today, I decided to capture the traffic with tcpdump and analyse it. I was
>> a bit shocked...
>>
>> - Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1.  This is
>> a 292 second period.
>>
>> - During this period my server saw 76039 different IP addresses.
>>
>> - The IP addresses with the biggest number of queries were
>>
>> 1984 193.236.92.137
>> 1847 193.236.92.138
>> 1846 193.236.92.145
>> 1800 193.236.92.144
>> 1778 193.236.92.141
>> 1278 84.90.0.142
>> 1258 212.55.172.9
>> 1248 193.236.92.135
>> 1234 212.55.181.167
>>
>> The first 5 belong to the same entity. They queried my server 9255 times
>> in
>> 292 seconds. This is 31 queries per second! The first IP address contacted
>> my server 6.79 times per second.
>>
>> I find this bad, very bad in fact. So, I added a rule in my firewall so
>> that there only can be one state per IP address. The UDP timeout in my
>> firewall is around 30 seconds so this limits the clients to one connection
>> every 30 seconds.
>>
>> I believe well behaved clients won't notice but these abusers will soon
>> see
>> no responses.
>>
>> What do you think about this?
>>
>> Cheers,
>> Miguel
>> _______________________________________________
>> pool mailing list
>> pool at lists.ntp.org
>> http://lists.ntp.org/listinfo/pool
>>
>
>


More information about the pool mailing list