[Pool] DDoS Type Attack

Charles Swiger cswiger at mac.com
Mon Feb 17 18:24:47 UTC 2014

On Feb 17, 2014, at 12:14 AM, Hal Murray <hmurray at megapathdsl.net> wrote:
> cswiger at mac.com said:
>> Sure.  ~10 per minute is the highest rate a normal client using iburst will
>> startup as; after that one packet per minute (every 64 seconds, actually) is
>> the most rapid polling rate that should be used without prior coordination.
> If you are thinking about this area, it's important to note that 10 per 
> minute is different from 1 per 6 seconds.  iburst sends a batch of 6 packets 
> at 2 second intervals.

Indeed yes.  Per-second rate limits don't match up well for NTP traffic, since
a reasonable rate even for a burst is under 1 PPS.

> How do packet filters compute average packet rate?  (I'll have to go look at 
> the code to see how ntpd does it.)

The code I've written keeps timers at second, minute, and hour granularity.  :-)

Stuff like iptables, pf, etc tend to either do similar, or they let you say
"limit of X packets per N second window", and admins then typically configure a
5-second window to permit a burst and a 60- or 120-second window for longer-term rates.


More information about the pool mailing list