On Wed, 22 Aug 2012 08:37:10 -0500, Andy Wright <[email protected]> wrote: > On Tue, 2012-08-21 at 20:40 +0200, Daniel Frank wrote: >> Hello, >> >> this email brought me to finally implement what I wanted to do for two >> months already: Implementing a decent linux iptables ruleset for ntp. >> Weapon of choice: the recent module to avoid having to manually blacklist >> clients. >> >> After setting a rule that blocked all packets from clients that send 9 or >> more packets in 10 seconds, I noticed that about 2-3% of all packets were >> filtered out, with about 120 clients affected in 15 minutes. >> Did I accidently filter out normal packages, like the bursts when a >> client >> initializes? What are normal package rates? >> >> I have set it to 9 packages in 5 seconds now and the numbers look a lot >> more decent, with only 5 clients filtered in 15 minutes. >> >> Any further suggestions about filtering misbehaving clients? > > I have netfilter allowing 16 within 4 seconds. I believe 16 frames is > appropriate for burst, I may be wrong. For those with multiple > computers behind NAT, my iptables rules may be a problem for some though > you would hope most locations with several computers have an NTP server > in itself.
This sounds like a good value to me. Within 45 minutes it caught very few packets (and those few that were caught came from only 8 hosts): Chain ntp (1 references) pkts bytes target prot opt in out source destination 757 57532 ntpblackhole all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 4 hit_count: 17 name: ntpv4 side: source 455K 35M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: ntpv4 side: source > You could also use the "limit" restriction in NTP. That sounds good, but will put additional load on ntpd, if not combined with a firewall. I just noticed a client sending 53 packets within 2 seconds and ntpd just lists 2 ignored packages. So I guess a mix from both variants is good. Those clients that flood my server first get a kod packet and if they do not listen, they are blocked at the firewall. Sane clients that respect kod packets are able to use my server just fine as soon as they tune down their speed, which shuold happen automatically after a kod. Thanks! Daniel _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
