On Thu, Mar 24, 2011 at 11:46 AM, <[email protected]> wrote: > since some days i have a public ntp server in the pool. Today i discovered > that ntpd was using around 5% CPU power and found a constant packet flow of > around 500..1000 packets per second from a single IP address.
Please share the IP address so others can keep an eye out for similar abuse against their pool servers. > Any hints how to deal with this beside dropping them by iptables? dropping at a firewall (whether upstream on host-based) will prevent ntpd from wasting CPU, but ntpd alone has a few relevant knobs. > restrict -4 default kod notrap nomodify nopeer noquery > restrict -6 default kod notrap nomodify nopeer noquery kod does nothing without limited. Add limited to your default restrictions and ntpd will provide time service no more than once every 2s (default, see html/ docs for "discard minimum" to adjust): > restrict -4 default limited kod notrap nomodify nopeer noquery > restrict -6 default limited kod notrap nomodify nopeer noquery > # Local users may interrogate the ntp server more closely. > restrict 127.0.0.1 > restrict ::1 # previous abusers get nothing (replace 4.3.2.1 with the abuser's IP address) restrict 1.2.3.4 ignore # if their address varies within a subnet (use whois to determine the netblock and mask) restrict 1.2.3.0 mask 255.255.255.0 ignore Cheers, Dave Hart _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
