On 04/06/18 21:00, Peter N. M. Hansteen wrote: > Excessive traffic can have weird side effects, including what you > describe here. > > Your story reminds me of the D-Link vs Poul-Henning Kamp episode some > years back > (https://www.theregister.co.uk/2006/04/13/d-link_time_row_escelates/ as > well as searching for the obvious keywords) -- essentially the low-end > router manufacturer had shipped product with a hard coded, tiny set of > time servers in their product, one of which turned out to be PHK's very > own, and his link to the world was flooded.
Yeah, I don't think my case is anywhere near as severe as that, but yes, I have read up on NTP server abuse. The only confirmed bit of NTP server abuse I would have copped in recent times would have been the Snapchat fiasco and the more recent issue with some TP-Link repeaters. https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#Snapchat_on_iOS > If you have data on the traffic (netflow comes to mind) it might be > worth the effort to see if there's a pattern where the traffic > originated. It could be down to some common misconfiguration, maybe even > too many naive followers of a slightly misguidedly written HOWTO somewhere. This is something I'm looking to investigate, some sort of traffic accounting so I can track per IP/protocol/port, how much traffic passes through my router. I did something similar on Linux a year or two back, I just have to research how to do the equivalent in OpenBSD. A quick Google search suggests netflow is a Cisco router feature. https://hackaday.io/project/10529/log/146422-new-router shows the installation of the APU2, no Cisco kit here, it's basically a patch cable between the ADSL2 modem and the APU2's `em1` port. If there is an equivalent on OpenBSD, I'll gladly have a look. My guide was `man pf.conf`, perhaps skimmed over too quickly. I'm not willing to blame the OpenBSD team just yet, more probable I misunderstood something, hence the query of whether this line of investigation is worth pursuing. Looking back, the fact that the first spike in my Internet usage happened on the 20th May, the day of the first such issue with my APU2 having internal network connectivity issues, and the fact that the connectivity issue disappeared once I pulled the machine out of the pool, is just too much of a co-incidence to ignore. One thought that has crossed my mind, is whether OpenNTPD could track the rate of requests on a per-client basis, and send a KOD response when a given client exceeded a certain request rate quota, or when a certain number of active clients had been reached. It would basically serve as a message saying "back off" to the clients. Sadly (like in the case of Netgear vs University of Wisconsin–Madison, and D-Link vs Poul-Henning Kamp), this won't work for all clients. We truly are at the mercy of what a client decides to do with that DNS server response. Regards, -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
