2011/10/9 Miguel Gonçalves <[email protected]>: > In the meantime, I started getting traffic (not a big deal: 20-30 > kbit/s) and I noticed that ntpdc's monlist breaks with more than 600 > clients. > > I really don't care about who is querying my server but I do mind if > some crazy user starts pooling every second. What can be done about > this?
You can enable rate limiting and Kiss O'Death responses. By default, neither option is enabled. When rate limiting is enabled, ntpd will not respond to queries which exceed the rate limits. When both are enabled, ntpd will also occasionally send a KoD response with refid RATE in response to clients exceeding the rate limit, which will cause well-behaved clients like ntpd to back off the query rate. Note the rate limiting is only effective when the client IP is found in the monlist. I see from ntpq -crv that you are using ntpd 4.2.4, which like 4.2.6 is limited to 600 entries in the monlist. 600 entries is not that many when servicing 20-30 kilobits/sec, given the tiny size of NTP queries. If you upgrade to 4.2.7, the size of the list is limited only by your configuration and willingness to let ntpd use memory. Also in 4.2.7, there's a new "ntpq -c mrulist" which can retrieve the entire monlist, regardless of its size, in most cases. Because the list is broken into chunks, there is a race between mrulist retrieval by ntpq and incoming client queries, so running ntpq locally is advised to increase the odds it wins the race on busy NTP servers. The default rate limiting kicks in for clients sending more than one query every two seconds. Most versions of ntpdate exceed this limit, as they send queries as soon as the prior reply is received. Recent versions limit themselves to once per two seconds per source. You can adjust the rate limit to allow most ntpdate queries to receive replies, while still denying service to even more aggressive clients. The setting's units changed for 4.2.7, so the instructions are version dependent. On a pool server I am involved in operating, ntp.conf contains: # allow ntpdate clients to avoid rate limiting/KoD response. #discard minimum 0 # pre-4.2.7p47 units are log2 s discard minimum 1 # 4.2.7p47 units are s restrict default kod limited notrap nomodify # uncomment following prior to 4.2.6, restrict default affected only IPv4 clients #restrict -6 default kod limited notrap nomodify If you upgrade to 4.2.7, which will allow more than 600 entries in your most-recently-heard monlist/mrulist, the snippets above are correct. If you stick with 4.2.4, switch the comments on the discard lines, and uncomment the restrict -6 line. (Don't worry if you don't use IPv6 yet, better to be prepared.) Take care, Dave Hart P.S. As an aside, there are apparently some sample configurations included by OSes in the wild which use "restrict default kod" without the limited restriction. This is the same as not mentioning the kod restriction, as far as RATE KoDs go, because without the "limited" restriction, ntpd never gets to the code that sends RATE KoDs. _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
