[ntp:questions] Re: Question on abusive clients.
David L. Mills
mills at udel.edu
Sun Dec 25 01:12:26 UTC 2005
Yes, it would be good to have the network layer run interference, and
there are some suggestions in current papers. However, these methods are
based on probabilistic packet marking and work well only if the abuser
is a significant fraction of the load. With several thousand mice per
second pounding on the servers, its hard to cut the elephand stomping
once per second from the herd.
Actually, the LRU sorter in the monlist scheme does a rather good job of
finding a few elephants and that's how we got the data for the paper. In
the Wisconsin incident there were 750,000 elephants and mice didn't have
a chance. The trouble wasn't only with the UWisc infrastructure; the
upstream ISP was scortched, too. This would suggest the best long-term
solution is something like what telephone providers call "call gap". The
idea is to automatically detect congestion and chase it toward the
source as far as possible and disable dial tone.
David J Taylor wrote:
> David L. Mills wrote:
>>There are copious examples of that happening right now on the NIST and
>>USNO servers. What would you suggest we do to stop it? See the paper
>>Mills, D.L., J. Levine, R. Schmidt and D. Plonka. Coping with overload
>>on the Network Time Protocol public servers. Proc. Precision Time and
>>Time Interval (PTTI) Applications and Planning Meeting (Washington DC,
>>December 2004), 5-16.
>>Full text is at www.eecis.udel.edu/~mills/papers.html.
> Thanks for that pointer, Dave. If I had to summarise: "NTP too successful
> for its own good!"
> It seems to me that you need something at the network level, rather than
> the NTPD level, to turn off the path from the Elephants. How you keep a
> network-level block secure from hacking is not a trivial issue, though!
More information about the questions