> I tried employing limited and kod, but this didn't keep the ill > behaving NTP clients from flooding my servers with requests. So I > implemented some rate limiting outside of the application.
Back when I had a host in the pool, I did likewise. Here are the number of times it tripped, by month, from 2012-12 (which is as far back as it's convenient to go at the moment) to present. I stopped serving NTP on my (then-)pool address at the end of August and of course got auto-dropped from being advertised shortly thereafter. 2012-12 378 2013-01 379 2013-02 433 2013-03 361 2013-04 455 2013-05 352 2013-06 487 2013-07 571 2013-08 512 2013-09 0 2013-10 0 2013-11 0 2013-12 14 Actually, those are number of log lines; a single incident sometimes produces multiple log lines, but I just had a quick look, and it definitely is many incidents per day; I see 2910 distinct <day,IP> pairs, so somewhere around 7.5 trips per day. I find it interesting that the misbehaviour stopped almost immediately upon my stopping NTP service on that address. (It would be difficult for me to tell how promptly NTP traffic stopped.) I also find it interesting that the misbehaviour stopped even though that host is still serving NTP on its other addresses (which are nearby, in the same /16 as, the pool address); whether the floods are coming from abusive clients or DDoS attempts or what, they clearly are using the pool to get their addresses. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
