I see little logic in sending back a KOD as it defeats the purpose of
limiting abusive clients to begin with. The default restrict line for
teardrop.ca looks as follows:
restrict default noquery nomodify notrap nopeer limited
I did a little test and sent 32 requests in 2 seconds to teardrop, not
surprising after about the 8th request all remaining requests were
dropped/ignored.
If you do an "ntpdc -c monlist" you see a line such as:
remote address port local address count m ver code avgint
lstint
===============================================================================
127.0.0.1 55778 216.221.85.101 101 3 4 1f0 74
What does "code" mean...
It is simply a hex encoding for the restrict line values associated with
the client.
0x100 -> notrap
0x080 -> nomodify
0x040 -> noquery
0x020 -> limited (only set when the client has reached it's limit)
0x010 -> nopeer
After awhile the IP above will have the code 0x1d0 which means "limited"
has been removed. The limited code is only set when a client becomes
abusive.
You can modify how "strict" the limit keyword is but I see little point in
doing so. The defaults catch the people that would annoy me the most.
--
.-------------------------------------.
( Biggest security gap -- an open mouth )
`-------------------------------------'
--
Paul-Andrew Joseph Miseiko
On Thu, 22 Sep 2005, Kirk Strauser wrote:
On Thursday 22 September 2005 09:49, Joel Reicher wrote:
I think average and minimum are the stats reported by the ntpdc monlist
command for avging and lstint.
That'd make sense. Thanks.
Your configuration file looks fine to me. You've probably hit the issue
that has been spoken about many times on this list: ntpd can't do
anything about a client that won't obey KOD packets.
I understand that part. There's not much to do with broken clients but
ignore them somehow. What irked me was seeing my server continually
replying to those clients:
$ sudo tcpdump -n port 123 and host 71.10.124.9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
10:26:21.124774 IP 71.10.124.9.62936 > 10.0.5.16.123: NTPv4, Client, length 48
10:26:21.124845 IP 10.0.5.16.123 > 71.10.124.9.62936: NTPv4, Server, length 48
10:26:22.120608 IP 71.10.124.9.62936 > 10.0.5.16.123: NTPv4, Client, length 48
10:26:22.120805 IP 10.0.5.16.123 > 71.10.124.9.62936: NTPv4, Server, length 48
10:26:25.125081 IP 71.10.124.9.62936 > 10.0.5.16.123: NTPv4, Client, length 48
10:26:25.125261 IP 10.0.5.16.123 > 71.10.124.9.62936: NTPv4, Server, length 48
I just wish I could tell ntpd to quit replying to this guy.
Out of curiosity, I never see any KOD packets logged in the logfile.
If my server sends some, should I see entries when it happens? Surely
clients as egregiously broken as the one above would meet even the most
conservative "discard" settings, shouldn't they?
--
Kirk Strauser
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
