Thank you Fabian Wenk for your response. All these 8-12 Mbps is against 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps each.
We also noted that, almost invariably, the remote ports are not 123. Our ntp.conf settings are as follows: restrict default limited kod notrap nopeer restrict 127.0.0.1 restrict :: driftfile /var/lib/ntp/drift keys /etc/ntp/keys logconfig=all logfile /var/log/ntp.log Thank you once again for your help! Regards HASSAN On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <[email protected]> wrote: > Hello Nyamul > > > On 16.02.14 04:33, Nyamul Hassan wrote: > >> After enabling each of them, we tried "disabling" the rule we enforced >> earlier (the one blocking remote clients which did not have a source port >> of 123) for one of our "high target" servers. As soon as we lifted that >> rule, that server spiked outbound UDP traffic around 8-12 Mbps level >> throughout the 1-2 hours we kept the test running. >> > > I do not know what bandwidth you have set for the Pool and in which zone > this server is. This would be helpful to know, as this does have quite an > impact on how many requests the server is getting. E.g. if you have set it > to 1 Gbit/s and are in a zone and region with just a few server, you could > get much more traffic, then with a lower bandwidth in a zone / region with > a lot of servers. Depending on this 2 parameters, eventually the 8-12 > Mbits/s are just normal legit ntp requests. > > I do have some other questions. > > Are you seeing the same amount of requests or packets in inbound and > outbound? > > What are your settings for the 'restrict default' line in ntp.conf, are > you using the options below? > > restrict default limited kod notrap nomodify nopeer noquery > > As suggested from Rob Janssen, you may leave out the 'kod' option. > > > Can someone suggest where the rules are failing to stop outbound traffic >> over extended periods? >> > > If this are legit requests, then you should not block outbound traffic to > them, you should serve them with time. > > My recommendation is to let ntpd do the rate limiting and not blocking / > limiting traffic with iptables or such. > > > bye > Fabian > > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
