Miguel Barbosa Gonçalves wrote:
The first 5 belong to the same entity. They queried my server 9255 times in 292 seconds. This is 31 queries per second! The first IP address contacted my server 6.79 times per second. I find this bad, very bad in fact. So, I added a rule in my firewall so that there only can be one state per IP address. The UDP timeout in my firewall is around 30 seconds so this limits the clients to one connection every 30 seconds.
There are different kinds of abusers. One possible cause for such query rates is that these are in fact NAT routers that serve a large number of systems, each making their NTP queries at an acceptable rate but together sending traffic at such high rates. Of course the admin should setup a local NTP server, sync that to the pool, and refer the internal clients to that server. But admins think that is too much work, the way they do it now "just works". Of course it would be less of a problem when there would be a large number of servers in the .pt area. Another kind is the jerk that just want to break things. With the size of internet today, there always are a large number of jerks even when it is only a small percentage of users. Not much that can be done about it, the jerk does not even have to be at the location the whois points to because there are so many incompetent ISPs out there that do not perform source address filtering (BCP 38). They may be trying to DDOS the people that you think are the cause. A third kind is the broken NTP client. Unfortunately for you, there are clients that increase the query rate when they get little or no response. So, when you rate limit the requests, the rate actually *increases* to make up for it. So be very careful when doing rate limiting and always monitor the effect of it. Rob _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
