[email protected] said: > Are you aware of any attributes in the requests that would differentiate > them in a predictable way? All I've been able to find is things like "my > QNAP NAS uses source port 1001".
There are two types of abusive behavior. One is sending packets too fast to a single server. You can get info on that with ntpq's mrulist command. That assumes you are running ntpd and have set it up with a big enough list to hold the traffic long enough for your tools to capture the data. I see things like this on a pool server using mru mincount=1000 sort=avgint lstint avgint rstr r m v count rport remote address ============================================================================== = 24388 0.040 90 . 3 4 1722 39898 75.82.102.168 9484 0.058 90 . 3 4 2646 64905 24.252.30.36 96898 0.065 90 . 3 3 1818 46473 73.231.78.50 98864 0.068 90 . 3 3 2081 33559 73.90.92.68 83805 0.071 90 . 3 3 1511 59872 2606:6000:cb89:f700:11c1:65e4:a6be:6a0f 14987 0.075 90 . 3 3 1898 43228 98.210.237.203 52792 0.075 90 . 3 3 1902 42093 201.103.75.77 50143 0.075 90 . 3 3 1676 60838 2601:203:1:3b26:bd7c:8afc:d05e:2d8f 79366 0.076 90 . 3 3 1667 53176 72.193.196.3 85057 0.080 90 . 3 3 1879 36388 68.224.147.94 49273 0.083 90 . 3 3 1539 38476 142.129.80.137 1823 0.086 90 . 3 4 1740 123 108.236.81.201 51268 0.088 90 . 3 4 1714 59052 73.112.38.204 72742 0.091 90 . 3 3 1369 52521 50.132.87.190 67224 0.094 90 . 3 3 1306 50084 50.24.15.62 80484 0.095 90 . 3 3 1126 37822 152.200.152.187 65092 0.100 90 . 3 3 1516 41305 174.125.103.89 44465 0.100 90 . 3 3 1497 36656 192.92.208.109 48002 0.101 90 . 3 3 1441 50643 174.134.177.218 ... The other sort of abusive behavior is to send reasonable traffic to an unreasonable number of servers. That's what caused the recent blast of traffic to the pool. I don't know of any reasonable way for server operators to detect this sort of traffic. -- These are my opinions. I hate spam. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
