Removing noquery is not a good idea. You *will* be abused for DDOS
attacks in short order. I think the "repeating their query" that you're
seeing is someone who's being attacked. It's very unlikely a legitimate
client is repeating their query over and over again.
Just use noquery. As far as I'm aware, KOD has no effect on management
queries (such as monlist).
On 3/2/2014 5:06 PM, Klaus Hartnegg wrote:
On 01.03.2014 18:51, David Thistlethwaite wrote:
About every 2-3 months I get between 2-5 clients that are pulling MB/s
from my ntp server and it completely saturates my pipe.
Any ideas how to prevent/resolve this ?
Check the lines with "restrict" and "default" in the file ntpd.conf.
Is "noquery" included? If not: append it. People who want do make DDOS
attacks love ntp servers where this is missing. But they will not
necessarily notice that you have added it, and might keep trying.
If "noquery" was already included, then is "kod" included? Some
clients react to this by repeating their query. Try removing it.
If "noquery" was already included and "kod" was not, then somebody is
trying to use your server for a reflection attack, using a forged IP
address. Rate limiting the incoming ntp traffic per IP address with
firewall rules will help the victim of the attack, and reduce your
outbound traffic cost, but will not stop the incoming traffic from
saturating your line. However if the line has asymetric capacity (more
incoming than outgoing), then reducing outbound traffic can improve
your situation quite a bit.
hope this helps,
Klaus
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
