> What I saw was a server that WAS serving monlist packets. I > corrected the config to fix this, and was still seeing 2000+ packets > a second incoming.
That will continue for a nontrivial time. I used to just rate-block (like rate-limiting except that when the limit trips, it drops them all, not just the ones that exceed the limit). In an email exchange with a victim site, I finally said "nolo contendere" and ripped REQ_MON_GETLIST and REQ_MON_GETLIST_1 support out entirely. That was over a week ago. I'm still getting high rates of packets to port 123, even though I haven't supported monlist for over a week. > The IPTables rule stops that, and other abusive (too chatty) clients. > Never hurts to have two lines of defense. True. I still have my rate-trips up too. The blacklist in my border is cruising around 1K entries, almost all of them having landed there because of excessive port-123 traffic. (About 99%, based on a quick-&-dirty log scan - list's at 1065 and had 11 other "add"s.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
