Hi! I've added a server I own to the pool some weeks ago. The traffic level is perfectly acceptable for the connectivity of the server. I am seeing around 400 packets-per-second when serving only NTP traffic.
Today, I decided to capture the traffic with tcpdump and analyse it. I was a bit shocked... - Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1. This is a 292 second period. - During this period my server saw 76039 different IP addresses. - The IP addresses with the biggest number of queries were 1984 193.236.92.137 1847 193.236.92.138 1846 193.236.92.145 1800 193.236.92.144 1778 193.236.92.141 1278 84.90.0.142 1258 212.55.172.9 1248 193.236.92.135 1234 212.55.181.167 The first 5 belong to the same entity. They queried my server 9255 times in 292 seconds. This is 31 queries per second! The first IP address contacted my server 6.79 times per second. I find this bad, very bad in fact. So, I added a rule in my firewall so that there only can be one state per IP address. The UDP timeout in my firewall is around 30 seconds so this limits the clients to one connection every 30 seconds. I believe well behaved clients won't notice but these abusers will soon see no responses. What do you think about this? Cheers, Miguel _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
