[Pool] rate management

Mon, 17 Sep 2012 03:54:38 -0700

For those of you who employ the 'limited' directive, did you use the default discard values or tweak them? With the default settings I've noticed an awful lot of rate limited packets, more than half of my incoming requests. I want to be somewhat more permissive than the defaults, while still protecting my server from being flooded or used in a reflective attack, but the discard values don't seem to be doing what the FAQ suggests they should. 

I went with:

average 3 (the default, I believe, in log2, so it should be 8 seconds?)
minimum 0 (default is 2, I wanted zero so badly implemented clients can still burst, so long as they don't violate the average)
My read on this from the manual is that a client should be allowed a maximum of eight requests in a single burst, irrespective of how quickly they arrive, but I'm still seeing rate limited clients with less than eight requests: 

ntpq> mrulist limited sort=count
Ctrl-C will stop MRU retrieval and display partial results.
Retrieved 689 unique MRU entries and 0 updates.
lstint avgint rstr r m v  count rport remote address
==============================================================================
  3677      0  1f0 L 3 3      2  1051 183.148.17.76
  1462      5  1f0 L 3 3      3   123 70.142.15.34
  1739      1  1f0 L 3 3      3  1025 108.178.131.173
  1905      5  1f0 L 3 3      3   123 72.51.186.133
  2062      0  1f0 L 3 4      3   123 98.236.212.104
  2359      0  1f0 L 3 4      3   123 98.237.32.60
  2415      0  1f0 L 3 4      3   123 72.197.236.75
   193      1  1f0 L 3 4      4 10781 97.81.136.151
   212      1  1f0 L 3 4      4   123 75.131.120.127
   223      1  1f0 L 3 4      4   123 75.138.226.209

Now, of course we have others who should have been limited, like these guys:

  1296      8  1f0 L 3 4     20     1 68.254.161.155
  2061     83  1f0 L 3 4     20   123 174.49.141.157
  2081     71  1f0 L 3 4     20   123 174.59.163.152
  2096     74  1f0 L 3 4     20   123 174.60.34.25
  2100     78  1f0 L 3 4     20   123 67.163.158.97
  2111     73  1f0 L 3 4     20   123 76.120.155.241
(In fact, the first one seems like a probable probe or attack, how many OS'es choose port 1 as an ephemeral port? That's another discussion though...)
All of the ones in the latter case should have been limited, by why are the former ones getting it, with my supposedly more permissive rules? 

_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool

Reply via email to