It's probably a DDOS reflection attack, rather then an abusive client.
We've started to see them more often via NTP (in addition to SNMP, DNS,
and chargen).
On 12/16/2013 10:07 AM, Matt Wagner wrote:
On Mon, Dec 16, 2013 at 2:14 AM, Michael Rathbun <[email protected]
<mailto:[email protected]>> wrote:
>
> 64.61.140.162 <http://64.61.140.162>: total: 11328 avgint: 1
>
> hmm...
I used to get a bunch of these. I'm not quite sure what causes it, but
it's annoying.
Some might have been a bunch of people using NAT, but in other cases
it looked
like it was a single client querying me once a second.
I used to pretty aggressively seek these things out and block them in
iptables, but
I eventually concluded that it was pointless. Since I had ntpd set up
with the 'kod'
and 'limited' keywords, I was really just moving where the requests
got dropped, but
also preventing ntpd from sending an occasional KoD. (Not that the
client seemed
to pay attention to them.)
I'm still pretty curious what causes a client to do this, though. I
can't see an obvious
misconfiguration that would do this.
--
Matt
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
