[Pool] DDoS Type Attack
cswiger at mac.com
Mon Feb 17 18:24:47 UTC 2014
On Feb 17, 2014, at 12:14 AM, Hal Murray <hmurray at megapathdsl.net> wrote:
> cswiger at mac.com said:
>> Sure. ~10 per minute is the highest rate a normal client using iburst will
>> startup as; after that one packet per minute (every 64 seconds, actually) is
>> the most rapid polling rate that should be used without prior coordination.
> If you are thinking about this area, it's important to note that 10 per
> minute is different from 1 per 6 seconds. iburst sends a batch of 6 packets
> at 2 second intervals.
Indeed yes. Per-second rate limits don't match up well for NTP traffic, since
a reasonable rate even for a burst is under 1 PPS.
> How do packet filters compute average packet rate? (I'll have to go look at
> the code to see how ntpd does it.)
The code I've written keeps timers at second, minute, and hour granularity. :-)
Stuff like iptables, pf, etc tend to either do similar, or they let you say
"limit of X packets per N second window", and admins then typically configure a
5-second window to permit a burst and a 60- or 120-second window for longer-term rates.
More information about the pool