> > > restrict default limited kod notrap nopeer > > Add noquery to the above list or your machines will allow DDoSing other > folks. > > Yes, we could. But, some people on this list believe that "noquery" also restricts certain use cases, which as "Pool Servers" we should be able to accommodate. What do you think?
Regards HASSAN > H > -- > > restrict 127.0.0.1 > > restrict :: > > driftfile /var/lib/ntp/drift > > keys /etc/ntp/keys > > logconfig=all > > logfile /var/log/ntp.log > > > > Thank you once again for your help! > > > > Regards > > HASSAN > > > > > > > > > > On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <[email protected]> wrote: > > > > > Hello Nyamul > > > > > > > > > On 16.02.14 04:33, Nyamul Hassan wrote: > > > > > >> After enabling each of them, we tried "disabling" the rule we enforced > > >> earlier (the one blocking remote clients which did not have a source > port > > >> of 123) for one of our "high target" servers. As soon as we lifted > that > > >> rule, that server spiked outbound UDP traffic around 8-12 Mbps level > > >> throughout the 1-2 hours we kept the test running. > > >> > > > > > > I do not know what bandwidth you have set for the Pool and in which > zone > > > this server is. This would be helpful to know, as this does have quite > an > > > impact on how many requests the server is getting. E.g. if you have > set it > > > to 1 Gbit/s and are in a zone and region with just a few server, you > could > > > get much more traffic, then with a lower bandwidth in a zone / region > with > > > a lot of servers. Depending on this 2 parameters, eventually the 8-12 > > > Mbits/s are just normal legit ntp requests. > > > > > > I do have some other questions. > > > > > > Are you seeing the same amount of requests or packets in inbound and > > > outbound? > > > > > > What are your settings for the 'restrict default' line in ntp.conf, are > > > you using the options below? > > > > > > restrict default limited kod notrap nomodify nopeer noquery > > > > > > As suggested from Rob Janssen, you may leave out the 'kod' option. > > > > > > > > > Can someone suggest where the rules are failing to stop outbound > traffic > > >> over extended periods? > > >> > > > > > > If this are legit requests, then you should not block outbound traffic > to > > > them, you should serve them with time. > > > > > > My recommendation is to let ntpd do the rate limiting and not blocking > / > > > limiting traffic with iptables or such. > > > > > > > > > bye > > > Fabian > > > > > > _______________________________________________ > > > pool mailing list > > > [email protected] > > > http://lists.ntp.org/listinfo/pool > > > > > _______________________________________________ > > pool mailing list > > [email protected] > > http://lists.ntp.org/listinfo/pool > > > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
