Re: Finding abusive NTP clients

2016-12-01 Thread Sanjeev Gupta 
On Thu, Dec 1, 2016 at 12:28 PM, Matthew Selsky  wrote:

> Sanjeev,
>
> I implemented command shortcuts per https://gitlab.com/NTPsec/
> ntpsec/issues/171
>
> Classic ntpq allowed every command to be shorten, as long as it was unique.
>
> ntpsec ntpq now has that.
>

Thank you, thank you, thank you.

I will go through your source commit, and draft a doc for your review.

-- 
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: Finding abusive NTP clients

2016-11-19 Thread Hal Murray 
> Hal, the 'mru' command no longer works.  Was this removed intentionally?

It's probably blocked by some restrictions (to avoid DDoS).

Another possibility is that your fingers typed the old name for a similar 
command.  I forget what it was called.  The (new) mrulist command requires a 
cookie in the request packet so it doesn't work as a DDoS amplifier.

-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: Finding abusive NTP clients

2016-11-19 Thread Sanjeev Gupta 
On Fri, Apr 15, 2016 at 7:05 PM, Hal Murray  wrote:

>
> I just pushed a tweak to ntpq's mrulist command to provide more info if
> the
> average
> interval between requests is tiny.  Anybody running a pool server might
> like
> to try it out.
>
> It now looks like this:
>
> ntpq> hostnames no
> ntpq> mru mincount=1000 sort=avgint
> Ctrl-C will stop MRU retrieval and display partial results.
> Retrieved 239 unique MRU entries and 0 updates.
> lstint avgint rstr r m v  count rport remote address


Hal, the 'mru' command no longer works.  Was this removed intentionally?

-- 
Sanjeev Gupta
+65 98551208 http://www.linkedin.com/in/ghane
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: Finding abusive NTP clients

2016-04-16 Thread Gary E. Miller 
Yo Hal!

On Sat, 16 Apr 2016 12:46:13 -0700
Hal Murray  wrote:

> >  1   0.51  1f0 L 3 3 2877243 18012 202.136.171.166
> >  0   1.14  1f0 L 3 4 1282569 54878 52.74.115.126   
> 
> Wow!  The bottom two take the record.  If I read that right, they
> have been hammering away for over 2 weeks.

Just as likely those are the victims, not the abusers.

AFAIK the 52.74.115.126 is not even up now.  The 202.136.171.166 will
answer ping, but has no common open TCP or UDP ports.

And do not expect to get any reply from NTT or AWS.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgpp9AeD_tzZV.pgp
Description: OpenPGP digital signature
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

Re: Finding abusive NTP clients

2016-04-16 Thread Hal Murray 
gha...@gmail.com said:
> lstint avgint rstr r m v  count rport remote address 
> ==
>  0   0.01  1f0 L 3 4  32250   123 27.126.220.102
>  0   0.02  1f0 L 3 4  35659   123 27.126.220.105
>  0   0.02  1f0 L 3 4  35789   123 27.126.220.106
>  0   0.02  1f0 L 3 4  35766   123 27.126.220.103
>  0   0.02  1f0 L 3 4  35780   123 27.126.220.101
>  0   0.02  1f0 L 3 4  32843   123 27.126.220.104
>  1   0.51  1f0 L 3 3 2877243 18012 202.136.171.166
>  0   1.14  1f0 L 3 4 1282569 54878 52.74.115.126 

Wow!  The bottom two take the record.  If I read that right, they have been 
hammering away for over 2 weeks.

52.74.115.126 is Amazon.  A polite note to their abuse dept might get some 
action.  Whois says 202.136.171.166 is NTT SINGAPORE.  I don't know how they 
will react.  You will probably have to explain things to them.  See if you 
can find out what sort of broken software they are using.


Looks like your server has been up for a long time and also that you are 
using the default mrulist setup.  ntpq monstats will give you a summary

If you give it more memory, it won't recycle the slots so quickly and you 
will be able to see the abusive users who stop after a while.  Here is what 
I'm using:
  rlimit memlock 200
  mru initmem 25000 maxmem 15 maxage 20

The maxage gets rid of stuff that is 2+ days old.  I run a script each night 
that saves the mru output.  Someday, I should be able dig out the IPv4 vs 
IPv6 traffic levels.  (If anybody does that before I do, please let me know.)




-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel