> This morning I checked some of pool servers and I found that a few > clients send enermous amount of NTP requests.
I've noticed similar things. I suspect many of the problematic "clients" are really DDoS victims, with your NTP server being used as a source obscurer and, in some cases, as a bandwidth amplifier. (The worst of the bandwidth amplifier effect uses monlist requests, which are relatively widely disabled now, but even if you've got monlist disabled too it wouldn't surprise me if normal requests could produce _some_ amplification.) I too have implemented rate-limit blocking for NTP (and DNS, though that's not very relevant here). Along with the various other offenses that can get an address router-blocked at my border (eg, sending to my network or broadcast addresses), I find my border blacklist cruises at about 900 addresses, with brief (~1day) excursions peaking maybe 150 either way from that. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
