Scott Baker kirjoitti:
What's the best way to deal with a bad NTP client? My server was
getting 4000 requests every 5 seconds from a 65.99.214.245. The box
was able to handle it fine, but my firewalls were having a problem
handling that many packets.
At this particular moment my server is replying to 7181 requests /
second from various IP addresses and the firewall seems to be doing just
fine.
As mentioned elsewhere, it's a good idea to
a) complain to the owner of that box and
b) stop using connection tracking for the NTP packets.
Here are the relevant lines from my firewall scripts:
$IPTABLES -t raw -A PREROUTING -i $INET_IFACE -p udp --dport 123 -j NOTRACK
$IPTABLES -t raw -A OUTPUT -p udp --sport 123 -j NOTRACK
If someone doesn't want to mess with iptables to disable the connection
tracking for NTP packets, I'd at least recommend reducing the timeout
for UDP packets with
echo 10 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
echo 20 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
or adjust the appropriate entries in /etc/sysctl.conf.
Beware that modifying this UDP timeout also affects other UDP traffic,
for example DNS queries. This might cause some DNS queries to fail.
You've been warned. Adjusting this UDP timeout is unnecessary if you're
already using the aforementioned NOTRACK trick.
Hope this helps (at least someone).
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
