On 21/11/16 23:25, Max Grobecker wrote: > The high offsets measured by the pool monitor may be unrelated to the DDoS > filter, but the low scores based on unanswered packets > can be explained by: I never got those request packets. Sometimes, the DDoS > filter seem to eat a lot of NTP questions (!) > directed to my server. Whenever this happens, I can see an additional hop in > the traceroute right in front of my server > and from this second the incoming packet rate on port 123/UDP is decreasing > to somewhat around 10-15%.
The fundamentals of a DDos filter must be that they drop packets. There is no other way a it can work. Find traffic which looks dodgy and drop it. It's a firewall. In some cases, they propagate the drops (whole IP addresses) to upstream networks. You'd have to find out what kind of matching rules the DDos system is using. Perhaps number of new sessions per /24 subnet. The other option is that maybe the DDos stuff doesn't have enough resources to handle your pool traffic. If it were doing TCP traffic, then it will see an SYN, some traffic and some RST packets at the end. When the session is closed, the device can remove that session from memory. With UDP traffic, you see some packets. There is no formal close, so the session has to stay in memory until a timeout. I've seen firewall systems where this is seconds and seen firewall systems where this is hours. Maybe can only handle a few thousand connections, and then runs out of memory and blocks new sessions. Or maybe some of the NTP traffic is really abusive, so it is being dropped. Only it is dropping more sources than it should and causing some collateral damage. So I suggest you: 1) Just reduce your NTP bandwidth in the control panel, and don't worry about it. Less traffic, might not upset the limits. and/or 2) Talk to the DDos vendor and see how they work. Maybe they can whitelist the NTP traffic. Or set higher limits for your server before it kicks in. Tim _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
