[time] 8.8.38.2, wikis, and help for abusers

Matt Wagner mwaggy
Wed Apr 30 16:44:11 UTC 2008


Ask forwarded my e-mail to the people who maintain 8.8.38.2, and
they've resolved the issue. (Apparently a machine somewhere went nuts
and spawned 1024 NTP processes! I've seen the traffic stop, and he
says he's going to monitor the box closely to make sure.)

Incidentally, my second report ever, 216.58.108.226, was also met with
a prompt response and resolved.

I agree -- the "abusive" clients really aren't a big problem, but the
same obsessive-compulsive nature that causes me to want to keep all my
clock accurate to a few milliseconds also drives me to want to do
something about the people syncing every 5 seconds (or more often!).

(Nelson: our servers are neighbors -- 72.36.178.234, 50 Mbps)

As far as contacting people -- I just spent a few minutes probing
around to find information about the IP, and went from there. For a
box in a data center with 1TB transfer a month, even the
twice-a-second queries don't cost me a lot, but it irks me enough to
contact them. And I like to think it's helping out the people who host
a home NTP server on a DSL uplink or whatnot, who would be much more
affected by the absurdly-high rates you sometimes see.

On Wed, Apr 30, 2008 at 11:59 AM, Nelson Minar <nelson at monkey.org> wrote:
> If someone wants to look into this in detail, I've been logging timestamps
> for every single request my 100Mbps US time server gets. I've also been
> logging 1% of the actual NTP traffic. I've gone ahead and extracted
> timestamps for 8.8.38.2 for a little over two weeks starting April 2. You
> can download them here:
>   http://www.somebits.com/~nelson/tmp/ntp-8.8.38.2.txt.gz
>
>  There's 450,000 or so requests there for a rate of 1 request every 3
> seconds. It's not just that that rate is high, it's that they seem to be
> hitting a bunch of pool servers.
>
>  It'd be great to have some wiki docs to point people at. But it's a lot of
> effort to contact abusers. As long as the fraction of clients that are
> acting poorl isn't increasing, I'm not going to sweat it too much. The
> fraction of IPs sending more than 20 requests in 10 minutes has held below
> 0.4% for me in the seven months I've been watching:
>   http://www.somebits.com/ntp/one%20year.html
>
>



More information about the pool mailing list