[ntp:questions] [Pool] 4000 packets a second?

Dave Hart davehart at gmail.com
Tue Aug 31 00:56:59 UTC 2010


On Mon, Aug 30, 2010 at 20:12 UTC, Scott Baker <bakers at canbytel.com> wrote:
[...]
> My server was getting 4000 requests every 5 seconds from a 65.99.214.245.
[...]
> I was able to block that IP at our upstream router. Is there a better way
> (with NTPd) to block something like that?

A pool server I'm involved with uses:

discard minimum 0
restrict default limited kod notrap nomodify

With versions of ntpd older than 4.2.6, you should also add:

restrict -6 default limited kod notrap nomodify

to apply the same default restrictions to both IPv4 and IPv6 clients.
In any case, you will also want relaxed restrictions covering at least
localhost and possibly some local subnets:

restrict 127.0.0.1
restrict ::1

By default, ntpd enforces no rate limiting.  If the applicable
restrict line for a given client contains "limited", basic rate
limiting is enforced, controlled by the "discard minimum" and "discard
average" knobs [1].

Be aware that if you enable rate limiting, the default "discard
minimum 1" degrades service to ntpdate clients, which send the next
request as soon as they receive the prior response with no regard to
rate limiting.  The very newest 4.2.7 versions of ntpdate rate-limit
requests to stay under the ntpd defaults, but to provide better
service to older ntpdate, "discard minimum 0" lowers the minimum time
allowed between requests from a single IP to 1s from 2s default.
ntpdate can work with only one response out of four tries, but more
responses are better.

You can monitor the rate limiting in action using "ntpdc -c sysstats",
or, with a 4.2.7 ntpq and ntpd, "ntpq -c sysstats" which adds a KoDs
sent counter compared to its ntpdc equivalent.  "ntpdc -c monlist" (or
on 4.2.7 or later, "ntpq -c mrulist") might also provide insight.

Speaking of KoDs, they not sent by default.  The source IP's matching
restrict line must have _both_ "limited" and "kod" for Kiss-O'Death
responses to emit, as the KoD code is never reached unless
rate-limiting applies.

Cheers,
Dave Hart


[1] http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#discard



More information about the questions mailing list