[ntp:questions] Re: Can you test my server please.

Brian Utterback Brian.Utterback at Sun.removeme.COM
Wed Nov 24 13:47:37 UTC 2004



Brad Knowles wrote:
> At 11:21 AM +0100 2004-11-24, Folkert van Heusden wrote:
> 
>>  What about adding some throtteling(?) code to the ntp-daemon which makes
>>  it stop answering requests when more then x requests per y come in?
>>  Shouldn't be too difficult to code I guess.
> 
> 
>     I can't say for certain, but I suspect that's not going to work too 
> well.  These clients are abusive enough when they are getting answers -- 
> when they stop getting answers, or get only KOD, etc..., that's when 
> they crank up to truly abusive things like sending us one query per 
> second, etc....

The NTPV4 development branch already has rate limiting. The problem is (as Brad
noted) some broken clients actually increase the rate when the responses are
throttled. And as we saw from UWISC, a firewall is useless since the traffic
still goes as far as the firewall and might increase the traffic.

Poisoned data is just about the only solution that can work. Denying access to
the data encourages the clients to ask again. Other more civilized schemes
rely on client support, and we are presupposing broken clients. However, it
would be a good idea to have standard offset that is applied across all
servers, so the servers are more likely to appear to agree and actually
set the time on the errant client, which is mush more likely to be noticed.

-- 
blu

I voted electronically...I think.
--------------------------------------------------------------------------------
Brian Utterback - OP/N1 Revenue Product Engineering, Sun Microsystems, Inc.
Ph/VM: 877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom



More information about the questions mailing list