Joel Reicher wrote:
Implementing this into a NTP server application is AFAICS technically
possible, the question is if it will help or not.
I'm not entirely sure I understand this suggestion, because NTP, since
it is implemented with UDP, does not maintain connections. There's not
really anything to drop. Unless the client obeys some of the higher
level NTP stuff, like KOD, there's no way to tell it to stop. And if
it does obey that stuff, it's unlikely to be very abusive in the
first place; just perhaps misconfigured.
If there's a really harmful client, the damage is already done by the
time the packets reach ntpd.
I agree that this would not help all the time, especially in such a bad
case as the UWisc vs. Netgear desaster, mainly because the people owning
those Netgear boxes did not care about time synchronization and mostly
did not even know that their router has this "feature".
The "discard packets if too many requests received" method only helps
against users caring about time syncronization, but using the wrong
software or configuration. If those people detect that they do not get
what they want, they will either change the ntp server they are using or
reconfigure/change their software.
I'm pretty sure there is no effective way of dealing with people which
do not know and therefore do not care that they are doing something wrong.
I'd prefer to let ntpd throw away those requests instead of checking for
every client if it is blacklisted (and all the effort to maintain such a
blacklist).
The effect is the same: the client will not get served anymore.
The effort on the pool side is similiar or even less: server admins will
have to change their ntp.conf (following the blacklisting way, they
probably would have to install/maintain additional software or scripts).
Fortunately it seems that this discard-if-limit-exceeded is already
implemented in ntpd. I will test this feature and check how ntpd reacts
if under fire from one client. If anyone else is interested in testing,
please check out the ntpd online documentation and look for the
"restrict limited" and "discard" configuration commands, which seem to
do exactly what I was talking about.
Cheers,
- Joel
Kind regards,
Heiko
--
------------------------------------------------------------------------
*MEINBERG Funkuhren*
Auf der Landwehr 22
D-31812 Bad Pyrmont, Germany
Tel.: ++49 (0)5281 9309-25
Fax: ++49 (0)5281 9309-30
eMail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Internet: www.meinberg.de <http://www.meinberg.de/>
------------------------------------------------------------------------
Meinberg radio clocks: 25 years of accurate time worldwide
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
