Hello, Roger, if you have a lot less than 600 abusive client, then there is no problem with the old ntpd rate limiting.
I don't argue with that. Agreed. I guess I'm afraid of a botnet attack. In the scenario that concerns me, considerably more than 600 clients simultaneously try to use several ntpd not for amplification, but just for reflection. How realistic such an attack scenario is, I do not know. I certainly have not seen it. Of course, a botnet could simply send junk directly, without reflection, with little additional risk to the botnet's slave holder. So my concern may well be just "math on the empty set". (But then, maybe it's not.) Still, besides the usual incantation of "limited kod notrap nomodify nopeer noquery" (and, given the recent debate here on the list, I'm debating with myself whether to remove "kod" one of these days) I'm fond of my iptables setup on top of that. Let's say it just so slightly helps me sleep better. Regards, Andreas Am 10.01.2014 00:08, schrieb Roger Lynn: > On 08/01/14 22:04, Andreas Krüger wrote: >>> ntpd is doing the rate limiting by itself just fine. You do not need >>> to have a firewall in front of it for doing rate limiting. >> I disagree. >> >> This is true only if you have a VERY recent version of ntpd. So >> recent, it hasn't been released, at least not as of Dec 17. Compare >> http://lists.ntp.org/pipermail/pool/2013-December/006724.html . >> >> Older versions of ntpd keep state only for 600 clients. If you have >> more clients than that, the build-in rate limiting of ntpd becomes >> overloaded. You are likely to have more clients than that, once you >> let your ntpd enter the pool. > This is only a problem if you have more than 600 abusive clients at one > time. In several years of running pool servers with configured speeds > between 100 and 500 Mbit I have not seen this. Maybe I have been lucky, or > maybe I just haven't looked at the right time. I have seen several > individual clients with more than 100000 queries recorded in monlist. > > As an example, if you have 10000 well behaved clients querying on average > every 1000 seconds and 400 abusive clients querying every 10 seconds then > the abusive clients will remain in the list and will be blocked. The fact > that the well behaved clients are forgotten does not matter. If an abusive > client goes away it will also be forgotten, but it will soon be blocked > again if it returns. So long as noquery and nomodify are specified this is > fine. > > Again, so long as noquery and nomodify are given, the harm that abusive > clients can do is very limited, even if they are not blocked. The server is > useless for an amplification attack and the main problem is a small amount > of wasted resources. > > Roger > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
