[ntp:questions] Re: Question on abusive clients.

David L. Mills mills at udel.edu
Sun Dec 25 01:12:26 UTC 2005


Yes, it would be good to have the network layer run interference, and 
there are some suggestions in current papers. However, these methods are 
based on probabilistic packet marking and work well only if the abuser 
is a significant fraction of the load. With several thousand mice per 
second pounding on the servers, its hard to cut the elephand stomping 
once per second from the herd.

Actually, the LRU sorter in the monlist scheme does a rather good job of 
finding a few elephants and that's how we got the data for the paper. In 
the Wisconsin incident there were 750,000 elephants and mice didn't have 
a chance. The trouble wasn't only with the UWisc infrastructure; the 
upstream ISP was scortched, too. This would suggest the best long-term 
solution is something like what telephone providers call "call gap". The 
idea is to automatically detect congestion and chase it toward the 
source as far as possible and disable dial tone.


David J Taylor wrote:

> David L. Mills wrote:
>>There are copious examples of that happening right now on the NIST and
>>USNO servers. What would you suggest we do to stop it? See the paper
>>Mills, D.L., J. Levine, R. Schmidt and D. Plonka. Coping with overload
>>on the Network Time Protocol public servers. Proc. Precision Time and
>>Time Interval (PTTI) Applications and Planning Meeting (Washington DC,
>>December 2004), 5-16.
>>Full text is at www.eecis.udel.edu/~mills/papers.html.
> Thanks for that pointer, Dave.  If I had to summarise: "NTP too successful 
> for its own good!"
> It seems to me that you need something at the network level, rather than 
> the NTPD level, to turn off the path from the Elephants.  How you keep a 
> network-level block secure from hacking is not a trivial issue, though!
> 73,
> David 

More information about the questions mailing list