On Tue, 2012-08-21 at 20:40 +0200, Daniel Frank wrote: > Hello, > > this email brought me to finally implement what I wanted to do for two > months already: Implementing a decent linux iptables ruleset for ntp. > Weapon of choice: the recent module to avoid having to manually blacklist > clients. > > After setting a rule that blocked all packets from clients that send 9 or > more packets in 10 seconds, I noticed that about 2-3% of all packets were > filtered out, with about 120 clients affected in 15 minutes. > Did I accidently filter out normal packages, like the bursts when a client > initializes? What are normal package rates? > > I have set it to 9 packages in 5 seconds now and the numbers look a lot > more decent, with only 5 clients filtered in 15 minutes. > > Any further suggestions about filtering misbehaving clients?
I have netfilter allowing 16 within 4 seconds. I believe 16 frames is appropriate for burst, I may be wrong. For those with multiple computers behind NAT, my iptables rules may be a problem for some though you would hope most locations with several computers have an NTP server in itself. You could also use the "limit" restriction in NTP. Andy > > Regards, > Daniel > > On Tue, 21 Aug 2012 01:51:10 -0400, AlbyVA <[email protected]> wrote: > > Break out the Firewall Filters if you are being abused with a DoS/DDoS > > attack. > > If that fails, call your ISP. They have network security on staff to > help > > address the > > issue. > > > > > > > > > > On Tue, Aug 21, 2012 at 1:45 AM, Hal Murray <[email protected]> > > wrote: > > > >> > >> [email protected] said: > >> > I'm not sure if this client has a severe bug or is intentionally > trying > >> to > >> > overload the server but I have been receiving an average of around > 500 > >> > packets per second from them for the last hour and a half with > >> occasional > >> > drops to about 350 pps. ... > >> > >> One possibility is that somebody is using NTP as a DDoS mechanism. > >> > >> NTP doesn't amplify much, but it's easy to forge the return address on > >> UDP > >> packets. > >> > >> > >> > >> > >> -- > >> These are my opinions. I hate spam. > >> > >> > >> > >> _______________________________________________ > >> pool mailing list > >> [email protected] > >> http://lists.ntp.org/listinfo/pool > >> > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
