Thanks Miguel Not something I'd thought to look at before but I found different addresses but the same result - a small number of originating high traffic IP addresses.
Rate limiting seems a simple and obvious response unless there is a legitimate reason for this behaviour that I am unaware of? Robert Gray On 5 April 2015 at 08:26, Miguel Barbosa Gonçalves <[email protected]> wrote: > Hi! > > I've added a server I own to the pool some weeks ago. The traffic level is > perfectly acceptable for the connectivity of the server. I am seeing around > 400 packets-per-second when serving only NTP traffic. > > Today, I decided to capture the traffic with tcpdump and analyse it. I was > a bit shocked... > > - Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1. This is > a 292 second period. > > - During this period my server saw 76039 different IP addresses. > > - The IP addresses with the biggest number of queries were > > 1984 193.236.92.137 > 1847 193.236.92.138 > 1846 193.236.92.145 > 1800 193.236.92.144 > 1778 193.236.92.141 > 1278 84.90.0.142 > 1258 212.55.172.9 > 1248 193.236.92.135 > 1234 212.55.181.167 > > The first 5 belong to the same entity. They queried my server 9255 times in > 292 seconds. This is 31 queries per second! The first IP address contacted > my server 6.79 times per second. > > I find this bad, very bad in fact. So, I added a rule in my firewall so > that there only can be one state per IP address. The UDP timeout in my > firewall is around 30 seconds so this limits the clients to one connection > every 30 seconds. > > I believe well behaved clients won't notice but these abusers will soon see > no responses. > > What do you think about this? > > Cheers, > Miguel > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
