[Pool] DDoS Type Attack
stenn at ntp.org
Mon Feb 17 02:38:21 UTC 2014
Charles Swiger writes:
> On Feb 16, 2014, at 11:58 AM, Nyamul Hassan <nyamul at gmail.com> wrote:
> > Good point, Clay Fiske. Is there a realistic estimate to how many packets
> > / sec a legitimate remote is allowed?
> Sure. ~10 per minute is the highest rate a normal client using iburst
> will startup as; after that one packet per minute (every 64 seconds,
> actually) is the most rapid polling rate that should be used without
> prior coordination.
I like the part about prior coordination, mostly.
> 10 packets per minute also accomodates ntpdate.
Which is about to be deprecated in favor of sntp or ntpd -q. The former
will usually only send 1 packet, the latter will iburst (as I recall).
> > Suppose, if we can agree on numbers like:
> > Less than 100 packets each min
> > + Less than 300 packets in 10 mins
> > + Less than 500 packets in 1 hour
> That's overgenerous: 500 packets per hour is 1 every 7.2 seconds.
> If something has a clock which is so defective that it can't keep time
> well enough that it needs to keep asking more than once a minute,
> well, it should be talking to something on the LAN instead of wasting
> public resources.
Unless you are a pool server that is getting NATed packets from a bunch
of clients behind a single IP.
More information about the pool