[ntp:hackers] Profiling abusive clients

Brian Utterback brian.utterback at sun.com
Wed Nov 21 15:21:46 GMT 2007



Matthias Urlichs wrote:
> Hi,
> 
> Poul-Henning Kamp:
>> And ruin your timekeeping performance with varying firewall delays ?
>>
> So limit the number of blocked clients to N, and add N dummy entries to
> the list when you start it all up.
> 
> Besides, if the KoD-ignoring bugger really abuses you, that's going to
> introduce much more delay and variation into your main path than a
> handful of simple firewall rules.
> 

But if you add packetfilter rules, the packets still arrive, and
still incur a processing cost. The only thing you save is the
transmission processing and bandwidth costs. It doesn't help
to block the packets at the server. Nor does it help to hide
the server time, as Dave noted. The best choice I can think
of is to specify a particular offset in the RFC to be subtracted
from the time and adjust the timestamps by that. If all servers
used the same specified offset, then it would increase the chances
that the offset is used and gets notice.

That is, if there are three servers configured, all being abused,
all using Dave scheme of sending back the transmit timestamp, the
abusive client won't even notice, since the resulting offset will
be half the delay to each, so they will all nearly match and
the client will be undisciplined but will look normal.

But if the three servers all used a specified offset, preferably
something fairly large, then the calculated offset will be large and
will match. Thus the client will probably stepout and get operator
attention.

-- 
blu

"You've added a new disk. Do you want to replace your current
drive, protect your data from a drive failure or expand your
storage capacity?" - Disk management as it should be.
----------------------------------------------------------------------
Brian Utterback - Solaris RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom


More information about the hackers mailing list