Nyamul Hassan writes: > Thank you Fabian Wenk for your response. All these 8-12 Mbps is against > 5-10 hosts, of which top 1-2 hosts are seeing somewhere around 2-5 Mbps > each. > > We also noted that, almost invariably, the remote ports are not 123. > > Our ntp.conf settings are as follows: > > restrict default limited kod notrap nopeer
Add noquery to the above list or your machines will allow DDoSing other folks. H -- > restrict 127.0.0.1 > restrict :: > driftfile /var/lib/ntp/drift > keys /etc/ntp/keys > logconfig=all > logfile /var/log/ntp.log > > Thank you once again for your help! > > Regards > HASSAN > > > > > On Sun, Feb 16, 2014 at 9:54 PM, Fabian Wenk <[email protected]> wrote: > > > Hello Nyamul > > > > > > On 16.02.14 04:33, Nyamul Hassan wrote: > > > >> After enabling each of them, we tried "disabling" the rule we enforced > >> earlier (the one blocking remote clients which did not have a source port > >> of 123) for one of our "high target" servers. As soon as we lifted that > >> rule, that server spiked outbound UDP traffic around 8-12 Mbps level > >> throughout the 1-2 hours we kept the test running. > >> > > > > I do not know what bandwidth you have set for the Pool and in which zone > > this server is. This would be helpful to know, as this does have quite an > > impact on how many requests the server is getting. E.g. if you have set it > > to 1 Gbit/s and are in a zone and region with just a few server, you could > > get much more traffic, then with a lower bandwidth in a zone / region with > > a lot of servers. Depending on this 2 parameters, eventually the 8-12 > > Mbits/s are just normal legit ntp requests. > > > > I do have some other questions. > > > > Are you seeing the same amount of requests or packets in inbound and > > outbound? > > > > What are your settings for the 'restrict default' line in ntp.conf, are > > you using the options below? > > > > restrict default limited kod notrap nomodify nopeer noquery > > > > As suggested from Rob Janssen, you may leave out the 'kod' option. > > > > > > Can someone suggest where the rules are failing to stop outbound traffic > >> over extended periods? > >> > > > > If this are legit requests, then you should not block outbound traffic to > > them, you should serve them with time. > > > > My recommendation is to let ntpd do the rate limiting and not blocking / > > limiting traffic with iptables or such. > > > > > > bye > > Fabian > > > > _______________________________________________ > > pool mailing list > > [email protected] > > http://lists.ntp.org/listinfo/pool > > > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
