[time] What to do about abuse

Rob Janssen rob
Tue Feb 27 10:16:54 UTC 2007

Jeffrey Goldberg wrote:
> Well, I'm absolutely flabbergasted by the abusive clients.  I'd like  
> some understanding of what's behind it and what people do about it.
> It don't see anything to gain by being deliberately abuse.  You don't  
> gain anything by sending out a request 5 times per second.  As  
> annoying as it is, there is little chance of doing any noticeable  
> vandalism.  So my guess is that it is accidental.  But how could  
> someone accidentally configure a client to just keep making requests.
I think that most abuse is just ignorance.
There are some different ways of getting high rate of queries from a 
single IP:

1. a lot of systems behind a NAT router.  each system is configured to 
use the pool.
when all of the systems are powered up at about the same time (e.g. 
after a power
failure or an automated hotfix installation), all of the systems get the 
same DNS reply
when starting their NTP daemon and they all query the same set of 
timeservers.  You
get a high polling rate from a single IP, but in fact there are 
different systems.  This can
sometimes be noticed when checking the source port number.

2. a firewall that suppresses your reply, combined with a broken client.
some clients start polling once per second when they don't get a reply.  
people have a firewall that rejects the returned UDP packet from your 
server (I
even get "ICMP administratively blocked" sent to my system sometimes) and
their client increases the poll rate without ever getting in sync.

3. outright broken config files from persons who believe that fast 
polling is better or
that bursting is the way to go.  this is more towards vandalism rather 
than ignorance,
but it could be caused by not reading the documentation and guessing 
what certain
options will do (possibly after someone used a user-frienly admin GUI to 
the config file, and bursting is just a checkmark)

Of course people don't gain by this behaviour.  Either they lose, or 
they get no
gain.  However, many admins don't monitor their systems and they just don't
know that something is wrong or sub-optimal.

The big problem is that there is no way to get in contact with the 
responsible person,
so you will just have to live with the situation.


More information about the pool mailing list