[ntp:questions] [Pool] 4000 packets a second?

David L. Mills mills at udel.edu
Wed Sep 1 00:42:40 UTC 2010


Scott,

Did you intend the discard minimum 0? That effectively disables the rate 
control defense mechanism. you should leave it out.

Dave

Dave Hart wrote:

>On Mon, Aug 30, 2010 at 20:12 UTC, Scott Baker <bakers at canbytel.com> wrote:
>[...]
>  
>
>>My server was getting 4000 requests every 5 seconds from a 65.99.214.245.
>>    
>>
>[...]
>  
>
>>I was able to block that IP at our upstream router. Is there a better way
>>(with NTPd) to block something like that?
>>    
>>
>
>A pool server I'm involved with uses:
>
>discard minimum 0
>restrict default limited kod notrap nomodify
>
>With versions of ntpd older than 4.2.6, you should also add:
>
>restrict -6 default limited kod notrap nomodify
>
>to apply the same default restrictions to both IPv4 and IPv6 clients.
>In any case, you will also want relaxed restrictions covering at least
>localhost and possibly some local subnets:
>
>restrict 127.0.0.1
>restrict ::1
>
>By default, ntpd enforces no rate limiting.  If the applicable
>restrict line for a given client contains "limited", basic rate
>limiting is enforced, controlled by the "discard minimum" and "discard
>average" knobs [1].
>
>Be aware that if you enable rate limiting, the default "discard
>minimum 1" degrades service to ntpdate clients, which send the next
>request as soon as they receive the prior response with no regard to
>rate limiting.  The very newest 4.2.7 versions of ntpdate rate-limit
>requests to stay under the ntpd defaults, but to provide better
>service to older ntpdate, "discard minimum 0" lowers the minimum time
>allowed between requests from a single IP to 1s from 2s default.
>ntpdate can work with only one response out of four tries, but more
>responses are better.
>
>You can monitor the rate limiting in action using "ntpdc -c sysstats",
>or, with a 4.2.7 ntpq and ntpd, "ntpq -c sysstats" which adds a KoDs
>sent counter compared to its ntpdc equivalent.  "ntpdc -c monlist" (or
>on 4.2.7 or later, "ntpq -c mrulist") might also provide insight.
>
>Speaking of KoDs, they not sent by default.  The source IP's matching
>restrict line must have _both_ "limited" and "kod" for Kiss-O'Death
>responses to emit, as the KoD code is never reached unless
>rate-limiting applies.
>
>Cheers,
>Dave Hart
>
>
>[1] http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#discard
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>http://lists.ntp.org/listinfo/questions
>  
>




More information about the questions mailing list