Hello, Tim and all, > I'd be curious to see some hard numbers on the percentage of > complaint clients vs. non-complaint.
I became curious too. So I set up rate limiting via iptables (on my German plain vanilla IP4 pool NTP server). I did so yesterday, let it settle overnight, and drew some reports this morning. > ...a depressingly large number of non-compliant clients that I have to > contend with. I find the situation not quite as depressing. Here are my results. (I'll give details of how I measured this in a second message to follow shortly.) My rate limiting simply drops requests when 10 or more come in from the same IP within the same 50 seconds. A mere 4% of the packets get dropped by that rule. Looking into it in some detail, I found something I had not expected: Many clients send a volley of (typically 4) NTP requests within a very short time. In my sample, about 11 % of all clients sent a volley of 2-8 requests within 2.5 seconds - and that was it. Silence. They were never heard of again. Not within the 48 minutes covered by my data. What do I think of this? Of course, our beloved only true and real ntpd would never show this behavior. Yet I think it could be quite legitimate. My speculation: On a tiny device, one may want to keep "clock setting" in the main control flow. Wait for it to have happened. Proceed to do other things only after the clock is set. Pushing clock setting into the quietness of background operation, as ntpd does, has advantages, but adds complexity. If an embedded device designer decides against that complexity, that might be a valid, sensible design decision. I guess with the "internet of things" gaining momentum, we'll see more of this in the future. Admittedly, there are limits. Some 0.2% of clients in my sample sent their entire volley within a couple of iptables clock ticks (of 4 ms each). Regarding 9 % of the clients in my sample, my server reports it received two or more requests from that same client within 8 ms. Waiting a few dozen ms between consecutive requests seems like a sensible plan to me, even if one needs to wait for the clock to be set and is in a hurry. Yet, the abuse I see is far less than the "half of my clients" reported by Tim. Tim - what exactly did you see? Regards, Andreas Timothy Oefelein wrote on 16.12.2013 at 22:09 MESZ: > There isn't such a misconfiguration with ntpd. Alas, not everybody runs > ntpd. > > I'd be curious to see some hard numbers on the percentage of complaint clients vs. non-complaint. The number of clients rate-limited by my iptables rules hovers close to 50%, which is rather depressing when you think about it. My rules are far more liberal then the default minpoll and burst options in NTPD, but I still see nearly half of my clients getting rate-limited from time to time. A handful of those are doubtless multiple machines behind NAT, but even allowing for that still leaves a depressingly large number of non-compliant clients that I have to contend with. > Tim > > > On 12/16/2013 10:07 AM, Matt Wagner wrote: >> I'm still pretty curious what causes a client to do this, though. I can't see an obvious >> misconfiguration that would do this. >> >> -- >> Matt > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
