On 08/01/14 22:04, Andreas Krüger wrote: >> ntpd is doing the rate limiting by itself just fine. You do not need >> to have a firewall in front of it for doing rate limiting. > > I disagree. > > This is true only if you have a VERY recent version of ntpd. So > recent, it hasn't been released, at least not as of Dec 17. Compare > http://lists.ntp.org/pipermail/pool/2013-December/006724.html . > > Older versions of ntpd keep state only for 600 clients. If you have > more clients than that, the build-in rate limiting of ntpd becomes > overloaded. You are likely to have more clients than that, once you > let your ntpd enter the pool.
This is only a problem if you have more than 600 abusive clients at one time. In several years of running pool servers with configured speeds between 100 and 500 Mbit I have not seen this. Maybe I have been lucky, or maybe I just haven't looked at the right time. I have seen several individual clients with more than 100000 queries recorded in monlist. As an example, if you have 10000 well behaved clients querying on average every 1000 seconds and 400 abusive clients querying every 10 seconds then the abusive clients will remain in the list and will be blocked. The fact that the well behaved clients are forgotten does not matter. If an abusive client goes away it will also be forgotten, but it will soon be blocked again if it returns. So long as noquery and nomodify are specified this is fine. Again, so long as noquery and nomodify are given, the harm that abusive clients can do is very limited, even if they are not blocked. The server is useless for an amplification attack and the main problem is a small amount of wasted resources. Roger _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
