Hello Nyamul
On 16.02.14 04:33, Nyamul Hassan wrote:
After enabling each of them, we tried "disabling" the rule we enforced
earlier (the one blocking remote clients which did not have a source port
of 123) for one of our "high target" servers. As soon as we lifted that
rule, that server spiked outbound UDP traffic around 8-12 Mbps level
throughout the 1-2 hours we kept the test running.
I do not know what bandwidth you have set for the Pool and in
which zone this server is. This would be helpful to know, as this
does have quite an impact on how many requests the server is
getting. E.g. if you have set it to 1 Gbit/s and are in a zone
and region with just a few server, you could get much more
traffic, then with a lower bandwidth in a zone / region with a
lot of servers. Depending on this 2 parameters, eventually the
8-12 Mbits/s are just normal legit ntp requests.
I do have some other questions.
Are you seeing the same amount of requests or packets in inbound
and outbound?
What are your settings for the 'restrict default' line in
ntp.conf, are you using the options below?
restrict default limited kod notrap nomodify nopeer noquery
As suggested from Rob Janssen, you may leave out the 'kod' option.
Can someone suggest where the rules are failing to stop outbound traffic
over extended periods?
If this are legit requests, then you should not block outbound
traffic to them, you should serve them with time.
My recommendation is to let ntpd do the rate limiting and not
blocking / limiting traffic with iptables or such.
bye
Fabian
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
