>> I'm now collecting data from my own pool host to see if I see >> similar spikes in people fetching time. > I don't think you will; as Nelson said then most of the actual > clients are (for better or worse) doing a few DNS lookups and then > using those IPs for a long long time. The DNS spikes are from > ntpdate/sntp clients.
But they will produce a spike in queries, too. The real question is, are they a large enough fraciton of the query load for the spike they produce to stand out amid the noise? It's been only a few hours I've been collecting data, so my data are only preliminary at this point. But the preliminary data are tending towards "yes, there is a significant spike on the hour". I'm surprised; my guess would have been that the spike from synchronized synchronization (if that's not too odd a term) would be tiny amid the general NTP traffic. I've got it collecting data for one day. Sometime tomorrow I'll crunch the day's worth of data and see what it has to say. I also may set up longer-term data collection, just out of curiosity - I've lost count of the number of times I've started collecting data on something only to be surprised when it comes time to look at it. And, as I forget who said, the most important utterance in science is not "Eureka!" but rather "Hmm, that's odd...". >> My questions for the list are, (1) does this match others' >> experience? and (2) what's the list's opinion on whether this is a >> reasonable thing to do on a pool server, and, if so, on my choice of >> trip point? > IIRC then it's not clear if blocking the packets actually help or > just make them increase. :-( I'm inclined to go with the blocking on the theory that if they _are_ DDoS traffic, at least I'm not contributing to piling on the (presumably mostly innocent) victim. If the traffic level reaches levels high enough to be called a DDoS on _me_, I'll contact my upstream about it and work something out.... /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
