>> The real problems aren't from someone polling every 500 seconds, or >> even every minute--
Indeed, I usually see ntpd poll every 64 seconds for a while on startup. >> it's the folks sending a query every second because their config or >> firewall is busted. > This might already be answered somewhere in a FAQ, but, why is even > that too much? The NTP traffic I see never goes over 5-6 kbps, and > the daemon should be able to handle at least 20 times more than that. > So, is there a reason to ban anyone who isn't sending something like > 100pps? I have software set up to block, at my border router, anyone pounding too hard on my NTP port, and, speaking purely personally, there are two reasons. One is that NTP already takes up a significant fraction of my netlink, even with the autobans. Every kilobit helps. (The ban actually happens on the wrong end of my netlink at the moment, but it at least eliminates the return traffic.) Note that no single abuser may be all that egregious, but, in the aggregate, they make a difference. The other is negative pressure against misbehaviour, in the evolutionary sense. If abusers find NTP doesn't work well for them, they may stop. (What is my "too much" threshold? It's not a hard "more than this many pps is too much"; what I have is, conceptually, a per-IP counter which is incrememnted by 1 for every packet and decays exponentially at a rate that gives it a half-life of half an hour. If it goes over a fixed value - 750, for NTP - the ban trips. Considering only steady traffic rates, this is somewhere around 3.465 seconds between packets, but it's more tolerant of bursts than a simple packets-per-$TIME threshold.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
