Hi Robert! 2015-04-05 7:15 GMT+01:00 Robert Gray <[email protected]>:
> Thanks Miguel > > Not something I'd thought to look at before but I found different > addresses but the same result - a small number of originating high traffic > IP addresses. > > Rate limiting seems a simple and obvious response unless there is a > legitimate reason for this behaviour that I am unaware of? > Someone suggested that it could be a Carrier Grade NAT box. Well, IMHO, someone who the money to buy such a thing could very well implement a local NTP server. Cheers, Miguel On 5 April 2015 at 08:26, Miguel Barbosa Gonçalves <[email protected]> wrote: > >> Hi! >> >> I've added a server I own to the pool some weeks ago. The traffic level is >> perfectly acceptable for the connectivity of the server. I am seeing >> around >> 400 packets-per-second when serving only NTP traffic. >> >> Today, I decided to capture the traffic with tcpdump and analyse it. I was >> a bit shocked... >> >> - Traffic was captured between 19:23:31 UTC+1 and 19:28:23 UTC+1. This is >> a 292 second period. >> >> - During this period my server saw 76039 different IP addresses. >> >> - The IP addresses with the biggest number of queries were >> >> 1984 193.236.92.137 >> 1847 193.236.92.138 >> 1846 193.236.92.145 >> 1800 193.236.92.144 >> 1778 193.236.92.141 >> 1278 84.90.0.142 >> 1258 212.55.172.9 >> 1248 193.236.92.135 >> 1234 212.55.181.167 >> >> The first 5 belong to the same entity. They queried my server 9255 times >> in >> 292 seconds. This is 31 queries per second! The first IP address contacted >> my server 6.79 times per second. >> >> I find this bad, very bad in fact. So, I added a rule in my firewall so >> that there only can be one state per IP address. The UDP timeout in my >> firewall is around 30 seconds so this limits the clients to one connection >> every 30 seconds. >> >> I believe well behaved clients won't notice but these abusers will soon >> see >> no responses. >> >> What do you think about this? >> >> Cheers, >> Miguel >> _______________________________________________ >> pool mailing list >> [email protected] >> http://lists.ntp.org/listinfo/pool >> > > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
