> I experimented a bit with graphing the queries [...] > Sadly it seems like a HUGE amount of users are fetching time right at > the top of the hour.
Or at least fetching addresses. I'm now collecting data from my own pool host to see if I see similar spikes in people fetching time. I'll have to wait a few hours before I have enough data to say anything useful, though. There's another thing I've been doing that I'd like to run past the collective list wisdom, though. It neads a little backstory. I found my DNS server being abused as a DDoS reflector; someone was sending queries (for TXT records for aol.com. - why that, I don't know) forged as being from the victim. (I don't serve aol.com, of course; apparently the referrals to the roots were enough to satisfy the DDoSer.) I installed monitoring so that any host that sends too much traffic to my DNS servers gets blocked at my border, based on an exponential decay filter with time constant set for a half-life of 30 minutes, an increment of 1 when a packet is seen, and a trip threshold of 250 (or about a packet every ten seconds; since a query involves a packet each direction, this is a query every twenty seconds). I did the same thing for NTP but with the trip threshold set to 750 instead, for about one packet every 3.5 seconds, figuring that was infrequent enough to be of comparatively little use as a DDoS reflector but frequent enough to be well on the far side of reasonable NTP use. The interesting thing is, the NTP test is tripping regularly. I find it hard to believe I'm being used as a DDoS reflector to that extent, meaning that there are apparently hosts out there that really do query me on the order of every seven seconds. My questions for the list are, (1) does this match others' experience? and (2) what's the list's opinion on whether this is a reasonable thing to do on a pool server, and, if so, on my choice of trip point? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
