There are no use cases that outweigh the DDOS attack issues. Please see
the pool recommendations:
http://www.pool.ntp.org/join/configuration.html
Management queries
Make the default configuration be to not allow "management queries". For
ntpd this will be adding the "noquery" option to the default "restrict"
lines, for example:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Fix your configuration, and you really won't have to worry about this
anymore.
On 2/16/2014 5:56 PM, Nyamul Hassan wrote:
restrict default limited kod notrap nopeer
Add noquery to the above list or your machines will allow DDoSing other
folks.
Yes, we could. But, some people on this list believe that "noquery" also
restricts certain use cases, which as "Pool Servers" we should be able to
accommodate. What do you think?
Regards
HASSAN
H
--
restrict 127.0.0.1
restrict ::
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
logconfig=all
logfile /var/log/ntp.log
Thank you once again for your help!
Regards
HASSAN
On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <[email protected]> wrote:
Hello Nyamul
On 16.02.14 04:33, Nyamul Hassan wrote:
After enabling each of them, we tried "disabling" the rule we enforced
earlier (the one blocking remote clients which did not have a source
port
of 123) for one of our "high target" servers. As soon as we lifted
that
rule, that server spiked outbound UDP traffic around 8-12 Mbps level
throughout the 1-2 hours we kept the test running.
I do not know what bandwidth you have set for the Pool and in which
zone
this server is. This would be helpful to know, as this does have quite
an
impact on how many requests the server is getting. E.g. if you have
set it
to 1 Gbit/s and are in a zone and region with just a few server, you
could
get much more traffic, then with a lower bandwidth in a zone / region
with
a lot of servers. Depending on this 2 parameters, eventually the 8-12
Mbits/s are just normal legit ntp requests.
I do have some other questions.
Are you seeing the same amount of requests or packets in inbound and
outbound?
What are your settings for the 'restrict default' line in ntp.conf, are
you using the options below?
restrict default limited kod notrap nomodify nopeer noquery
As suggested from Rob Janssen, you may leave out the 'kod' option.
Can someone suggest where the rules are failing to stop outbound
traffic
over extended periods?
If this are legit requests, then you should not block outbound traffic
to
them, you should serve them with time.
My recommendation is to let ntpd do the rate limiting and not blocking
/
limiting traffic with iptables or such.
bye
Fabian
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
