[Pool] DDoS Type Attack

Harlan Stenn stenn at ntp.org
Mon Feb 17 02:38:21 UTC 2014

Charles Swiger writes:
> On Feb 16, 2014, at 11:58 AM, Nyamul Hassan <nyamul at gmail.com> wrote:
> > Good point, Clay Fiske.  Is there a realistic estimate to how many packets
> > / sec a legitimate remote is allowed?
> Sure.  ~10 per minute is the highest rate a normal client using iburst
> will startup as; after that one packet per minute (every 64 seconds,
> actually) is the most rapid polling rate that should be used without
> prior coordination.

I like the part about prior coordination, mostly.

> 10 packets per minute also accomodates ntpdate.

Which is about to be deprecated in favor of sntp or ntpd -q.  The former
will usually only send 1 packet, the latter will iburst (as I recall).

> > Suppose, if we can agree on numbers like:
> > Less than 100 packets each min
> > + Less than 300 packets in 10 mins
> > + Less than 500 packets in 1 hour
> That's overgenerous: 500 packets per hour is 1 every 7.2 seconds.
> If something has a clock which is so defective that it can't keep time
> well enough that it needs to keep asking more than once a minute,
> well, it should be talking to something on the LAN instead of wasting
> public resources.

Unless you are a pool server that is getting NATed packets from a bunch
of clients behind a single IP.


More information about the pool mailing list