[ntp:questions] Bad NTP servers jeopardizing the pool.ntp.org initiative

Danny Mayer mayer at ntp.isc.org
Sat Mar 24 03:20:31 UTC 2007


Thomas Tornblom wrote:
> It is sad to see the pool.ntp.org initiative being jeopardized by some
> childish vendetta from one of the participants against the customers
> of one of the largest, if not the largest, ISP in Sweden :-(
> 
> I was glad when I found out about the pool initiative, and immediately
> set up my systems and gadgets to use the swedish pool.
> 
> I quickly found out that frequently I would not get any ntp service,
> depending on which server I got.
> 
> Checking the IP address of the non responding servers I quickly found
> out who they belonged to, and I then immediately knew why I wasn't
> getting through. That inidividual has had a personal problem since the
> 80:s with the ISP I'm using, and is filtering out any traffic from
> networks belonging to this ISP.
> 
> I have tried to get the administrators of the pool to throw this
> individuals servers out of the pool until he stops this, which
> resulted in ... nothing.
> 
> I switched to use the [0-3].europe.pool.ntp.org servers instead, which
> worked fine for a while. Today I noticed that I was given two of his
> servers when I restarted ntpd anyway :-(
> 
> I have now had to manually go through and test the servers I get when
> I look up the addresses, and select four that does not belong to this
> guy.
> 
> Thomas

If I understand correctly what you are asking what we need here instead
of the server line, we should have a pool line and and an exclude line
to ignore any specific IP addresses that we don't want to use. I'm
suggesting that the exclude line can be used separately since you don't
want them anywhere used. So for example you would want to do something
like this:

exclude 1.2.3.4 netmask 255.255.255.0
exclude 5.6.7.8
pool se.europe.pool.ntp.org max 5

(pool is coming, exclude I just made up for this message).
The exclude lines would exclude all IP addresses in 1.2.3.* and 5.6.7.8.
This is different from a restrict line since it would automatically not
allow those addresses to be used as servers and peers.

If this is what fits the bill, please enter a bug item in bugzilla with
these details.

Thanks,
Danny




More information about the questions mailing list