> I think it is a badly written client that behaves like this (sending a > request every second) > when it does not get a reply. It may be that your replies (and probably > everyone's replies) > are blocked by a wrongly configured firewall at his end, and the client > infinitely re-tries. > > I have seen this behaviour back when I was still running a pool server > on IPv4. I enabled > rate-limiting and KOD that caused clients polling once every 15 seconds > or more often, > and found that as a result I got some clients that polled every second. > Resetting the blocks > made them stop doing that. Apparently the rate-limiting mistriggered > (maybe because of > an initial burst?), KOD was not implemented, and the fact that I ignored > the polls just made > them send more often. > > I concluded that filtering, rate-limiting and KOD are not suitable > mechanisms to fend of > badly written or badly configured clients. > > Right now I only run an IPv6 pool server, and I don't see this problem > now. Probably there > are not so many badly written NTP clients that support IPv6. At least > for now.
I tried employing limited and kod, but this didn't keep the ill behaving NTP clients from flooding my servers with requests. So I implemented some rate limiting outside of the application. I specifically don't go into details here, but I noticed that I was able to discard most of the illicit traffic while allowing ill behaving clients to some level. I was also able to allow requests from large networks NATed behind a single IP to my NTP servers. The traffic usage of my NTP servers is back to an acceptable level. So my recommendation is to try to apply such limitations yourself. You may want to contact me privately if you need some private advise. Best regards, Marc _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
