[ntp:questions] NTP Pool Server Costs me $40/mo in Bandwidth--is there a suggested way to rate-limit?

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Thu Jun 19 02:52:19 UTC 2014


On 2014-06-18 13:32, E-Mail Sent to this address will be added to the BlackLists wrote:
> <http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse>
>
> brian.cunnie at gmail.com wrote:
>> Is there a suggested way to rate-limit queries by broken clients?
>
> Firewall rules?
>   {Depends how broken the remote client is,
>     sometimes this makes them hammer more,
>     if you can get you ISP to block them at the ISP's end,
>      at least it won't cost you bandwidth.
>
> Use a unique subdomain for your ntp server,
>   so you can make it resolve to something else,
>    or not resolve if needed.
>
>
>> Are there any other techniques people have found to be helpful?
>
> <https://manage.ntppool.org/manage/servers>
>   Set connection Speed
>    set it to something lower, 384K?
>     and wait _many_ weeks then redo your statistics.
>
>
> restrict -4 default limited kod nomodify notrap nopeer noquery
> restrict 127.0.0.1
> restrict -6 default limited kod nomodify notrap nopeer noquery
> restrict ::1
> restrict 224.0.1.1 mask 255.255.255.255 nomodify
> restrict aa.bb.cc.dd  mask ww.xx.yy.zz nomodify # your LAN
> restrict source nomodify

FYI thought this could be handy info, but untested as I do not have a static IP:

# Linux kernel 2.3.15+ CONFIG_NETFILTER `Y'
# iptables/ip6tables
# http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
# NTP monlist LOG rule 1/minute
-A PREROUTING -p udp -m udp --ports ntp \
	-m u32 --u32 022&0x3C at 8&0xFF=42 -m limit --limit 1/m --limit-burst 1 \
	-j LOG --log-prefix "BLOCKED: NTPMONLIST"
# NTP monlist DROP rule
-A PREROUTING -p udp -m udp --ports ntp -m u32 --u32 022&0x3C at 8&0xFF=42 -j DROP
# NTP input drop more than 8p/16s => 10p/20s
# modprobe.conf - options xt_recent ip_list_tot=10000 ip_pkt_list_tot=12
# insmod  xt_recent
# modinfo xt_recent
# or
# echo 10000 > /sys/module/xt_recent/parameters/ip_list_tot
# echo 12 > /sys/module/xt_recent/parameters/ip_pkt_list_tot
-A INPUT -p udp -m udp --dport ntp -m recent --name ntprate --rsource --set
# NTP drop more than 8p/16s => 10p/20s LOG rule 1/minute
-p udp -m udp --dport ntp \
	-m recent --name ntprate --rsource --update --seconds 20 --hitcount 10 \
	-m limit --limit 1/m --limit-burst 1 \
	-j LOG --log-prefix "DROPPED: NTPRATE"
# NTP drop more than 8p/16s => 10p/20s DROP rule
-A INPUT -p udp -m udp --dport ntp \
	-m recent --name ntprate --rsource --check --seconds 20 --hitcount 10 \
	-j DROP
# check /proc/net/xt_recent/ntprate
# NTP accept NEW,ESTABLISHED
-A INPUT -p udp -m udp --dport ntp -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport ntp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --dport ntp -m state --state NEW,ESTABLISHED -j ACCEPT

# HeartBleed LOG rule 1/minute
-A INPUT -p tcp --dport https \
	-m u32 --u32 "52=0x18030000:0x1803FFFF" -m limit --limit 1/m \
	-j LOG --log-prefix "BLOCKED: HEARTBEAT"
# HeartBleed DROP rule
-A INPUT -p tcp --dport https -m u32 --u32 "52=0x18030000:0x1803FFFF" -j DROP

# HeartBleed Wireshark rules
#tshark -i interface port https -R 'frame[68:1] == 18'
#tshark -i interface port https -R 'ssl.record.content_type == 24'


-- 
Take care. Thanks, Brian Inglis


More information about the questions mailing list