[time] Abusive Clients, Brazilian Servers

Brandon West brandon
Sat Apr 26 04:18:15 UTC 2008

Just for grins, I turned on a tcpdump of my traffic. It's amazing how  
many different people/organizations use the NTP pool. I noticed an  
unnamed national lab is very very chatty to external NTP servers. It's  
odd that they'd get their time from external servers. Where I work,  
our network doesn't allow NTP traffic out, you have to use internal  
Brandon West
blwest at mac.com
QOTD - "Life is fraught with opportunities to keep your mouth shut."

On Apr 25, 2008, at 8:44 PM, John Pettitt wrote:

> Matt Wagner wrote:
>> I recently added a second server to the pool. It's in Pennsylvania
>> (USA), but was incorrectly placed in the South America / Brazil  
>> zones,
>> presumably via a bad entry in GeoIP.
>> An interesting aside, it's getting 8 queries a second, set to 3 Mbps.
>> My Texas server is set to 10 Mbps and sees about 0.8 a second.
>> Probably because South America has a mere 16 servers, whereas North
>> America has 550.
>> I've noticed that, although I'm being inundated with queries, most  
>> are
>> coming from a handful of badly-behaved clients. The top 10 queries  
>> are
>> hitting me every 8 seconds or less. The worst offender
>> (gestum01.datadrome.net / is querying me at the
>> insane rates of TWO queries every second. (e.g., every 500ms.)
>> I've never had to deal with this before... How do you guys block  
>> these
>> nuts? It's just a handful of badly-configured clients, so I don't  
>> want
>> to leave the pool entirely. I'm not sure how the KoD works, nor how  
>> to
>> configure it. Do most clients respect that, or do I have to look at
>> firewalling? Does ntod respect /etc/hosts.deny?
>> (As an aside, do you think it makes sense for me to stay as a Brazil
>> server? Obviously, my time quality will be degraded, but Brazil seems
>> awfully under-represented in terms of NTP hosts.)
>> -- Matt
> I have a script I run that adds bad servers to my ipfw tables (this on
> freebsd) my server that is set to gigabit is currently blocking 82
> IP's.   If they stop trying to talk to me for more than an hour it
> unblocks them.
> Once it a while I lookup the IP and email the admin - sometimes it
> actually works.
> John
> _______________________________________________
> timekeepers mailing list
> timekeepers at fortytwo.ch
> https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://fortytwo.ch/mailman/pipermail/timekeepers/attachments/20080425/8e83977d/attachment.htm 

More information about the pool mailing list