Re: Finding abusive NTP clients
On Thu, Dec 1, 2016 at 12:28 PM, Matthew Selskywrote: > Sanjeev, > > I implemented command shortcuts per https://gitlab.com/NTPsec/ > ntpsec/issues/171 > > Classic ntpq allowed every command to be shorten, as long as it was unique. > > ntpsec ntpq now has that. > Thank you, thank you, thank you. I will go through your source commit, and draft a doc for your review. -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: Finding abusive NTP clients
> Hal, the 'mru' command no longer works. Was this removed intentionally? It's probably blocked by some restrictions (to avoid DDoS). Another possibility is that your fingers typed the old name for a similar command. I forget what it was called. The (new) mrulist command requires a cookie in the request packet so it doesn't work as a DDoS amplifier. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: Finding abusive NTP clients
On Fri, Apr 15, 2016 at 7:05 PM, Hal Murraywrote: > > I just pushed a tweak to ntpq's mrulist command to provide more info if > the > average > interval between requests is tiny. Anybody running a pool server might > like > to try it out. > > It now looks like this: > > ntpq> hostnames no > ntpq> mru mincount=1000 sort=avgint > Ctrl-C will stop MRU retrieval and display partial results. > Retrieved 239 unique MRU entries and 0 updates. > lstint avgint rstr r m v count rport remote address Hal, the 'mru' command no longer works. Was this removed intentionally? -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: Finding abusive NTP clients
Yo Hal! On Sat, 16 Apr 2016 12:46:13 -0700 Hal Murraywrote: > > 1 0.51 1f0 L 3 3 2877243 18012 202.136.171.166 > > 0 1.14 1f0 L 3 4 1282569 54878 52.74.115.126 > > Wow! The bottom two take the record. If I read that right, they > have been hammering away for over 2 weeks. Just as likely those are the victims, not the abusers. AFAIK the 52.74.115.126 is not even up now. The 202.136.171.166 will answer ping, but has no common open TCP or UDP ports. And do not expect to get any reply from NTT or AWS. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 pgpp9AeD_tzZV.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: Finding abusive NTP clients
gha...@gmail.com said: > lstint avgint rstr r m v count rport remote address > == > 0 0.01 1f0 L 3 4 32250 123 27.126.220.102 > 0 0.02 1f0 L 3 4 35659 123 27.126.220.105 > 0 0.02 1f0 L 3 4 35789 123 27.126.220.106 > 0 0.02 1f0 L 3 4 35766 123 27.126.220.103 > 0 0.02 1f0 L 3 4 35780 123 27.126.220.101 > 0 0.02 1f0 L 3 4 32843 123 27.126.220.104 > 1 0.51 1f0 L 3 3 2877243 18012 202.136.171.166 > 0 1.14 1f0 L 3 4 1282569 54878 52.74.115.126 Wow! The bottom two take the record. If I read that right, they have been hammering away for over 2 weeks. 52.74.115.126 is Amazon. A polite note to their abuse dept might get some action. Whois says 202.136.171.166 is NTT SINGAPORE. I don't know how they will react. You will probably have to explain things to them. See if you can find out what sort of broken software they are using. Looks like your server has been up for a long time and also that you are using the default mrulist setup. ntpq monstats will give you a summary If you give it more memory, it won't recycle the slots so quickly and you will be able to see the abusive users who stop after a while. Here is what I'm using: rlimit memlock 200 mru initmem 25000 maxmem 15 maxage 20 The maxage gets rid of stuff that is 2+ days old. I run a script each night that saves the mru output. Someday, I should be able dig out the IPv4 vs IPv6 traffic levels. (If anybody does that before I do, please let me know.) -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Finding abusive NTP clients
I just pushed a tweak to ntpq's mrulist command to provide more info if the average interval between requests is tiny. Anybody running a pool server might like to try it out. It now looks like this: ntpq> hostnames no ntpq> mru mincount=1000 sort=avgint Ctrl-C will stop MRU retrieval and display partial results. Retrieved 239 unique MRU entries and 0 updates. lstint avgint rstr r m v count rport remote address == 35374 0.03 190 . 3 4 5046 44762 64.72.56.95 670 0.04 190 . 3 4 4148 38778 162.243.188.66 57962 0.06 190 . 3 4 1345 33523 96.41.112.161 90455 0.07 190 . 3 3 1877 49488 2601:644:500:e800:a9d6:8245:1f95:b31b 66199 0.07 190 . 3 3 2081 54645 159.191.174.119 47234 0.07 190 . 3 3 1084 40403 108.227.128.23 62845 0.08 190 . 3 3 1956 47876 71.95.206.54 19026 0.08 190 . 3 1 3931 63329 190.14.219.238 460 0.08 190 . 3 4 1877 56897 72.130.39.211 40670 0.08 190 . 3 3 1629 42184 98.203.248.229 90375 0.09 190 . 3 4 1185 38002 24.56.50.247 60720 0.09 190 . 3 3 1599 65462 216.100.91.14 16506 0.09 190 . 3 3 1026 57813 75.172.167.145 7633 0.09 190 . 3 3 1557 37974 67.1.146.70 58813 0.10 190 . 3 1 3134 2410 73.179.193.171 5947 0.10 190 . 3 3 1171 52276 104.32.81.108 90798 0.11 190 . 3 4 1388 34042 198.199.99.66 ... -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel