On 11/5/2013 1:30 PM, E Frank Ball III wrote: > My UK server also got hammered. In early October bandwidth exploded and > I shut it down for 2-3 weeks. I turned it on again Oct 30 and set the > bandwidth limit to 384kB (It had been 100MB). Sunday bandwidth exploded > and my hosting provider null rounted my IPv4 address, they said it was > effecting their network. Outbound was 10GB in one hour. TX/RX ratio > for the day was 111:1 (from vnstat). Too late for a TCP dump, I had to > firewall IPv4 port 123 UDP (IPv6 is still up). My hosting provider > reconnected me after I did this.
---snip--- > Is allowing query a problem? Does that allow amplification? ---snip--- Even if you have ntp's internal rate limiter turned on (and the "kiss of death" feature enabled to block hosts which violate the limits) in my opinion the "query" functionality (ntpq and ntpdc) doesn't get rate limited, so I would have to say yes, it's probably one of the most abusable features in ntp. My server has yet to be abused, but today I just opted to be that much more safe about things, and so I've opted to make the default restrict line much less abusable: Previously I hadn't had kod enabled at all, but now I do (relaxed settings... and here are my notes) The "discard" line is for tuning the values for "kod" rate limiting The default settings for "discard" are "average 3" and "minimum 2" (if you omit the discard line, those values are used for kod) "minimum" is in seconds (I figure "1 packet per second" is acceptable for very short periods) "average" is log2 like the minpoll and maxpoll for peer or server lines (a value of 2 = 4 seconds, 3 = 8 seconds, 4 = 16 seconds, etc.) # begin /etc/ntp.conf driftfile /var/lib/ntp/ntp.drift discard average 2 minimum 1 restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 # (everything below here in my /etc/ntp.conf is configuration specific) I'm glad I finally thought to look into the "kiss of death" rate limiter hope this helps, Sarah _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
