[time] What to do about abuse
Tue Feb 27 16:43:57 UTC 2007
On Feb 27, 2007, at 4:16 AM, Rob Janssen wrote:
> Jeffrey Goldberg wrote:
>> Well, I'm absolutely flabbergasted by the abusive clients. I'd like
>> some understanding of what's behind it and what people do about it.
> I think that most abuse is just ignorance. There are some different
> ways of getting high rate of queries from a single IP:
> 1. a lot of systems behind a NAT router. each system is configured
> to use the pool. when all of the systems are powered up at about
> the same time (e.g. after a power failure or an automated hotfix
> installation), all of the systems get the same DNS reply when
> starting their NTP daemon and they all query the same set of
It turns out that this is what happened in my case. I had a total of
13,000 requests from 3 IPs, one was averaging a request every 0.15
seconds. The other two were at about one request every two seconds.
This went out for about half an hour and shortly after I started
> The big problem is that there is no way to get in contact with the
> responsible person, so you will just have to live with the situation.
I actually got a very prompt response from tera-byte.com telling me.
> I have just had a discussion with the sys admin that runs the 100+
> that sit behind those ip addresses. He has agreed to setup and run
> a local ntp server rather than querying pool.ntp.org
> We also have 2 ntp servers on our network for co-location
> customers to use
> however he was querying the pool directly.
So at least in one case contacted the abuse email from the whois
records for a net has shown that some good can come of sending off a
However, I should note that others have mailed me off list also
recommend ignoring abuse. After all a single ntpd server can easily
handle the load of abusive clients. Still, prompted by an early
success, I do like to idea of encouraging people to set up proper
Jeffrey Goldberg http://www.goldmark.org/jeff/
More information about the pool