Hi all,
I've been running a server in the pool for one week now and I have had a
couple occurrences of an interesting problem. According to the
ntp_clients_stats script made by Wayne Schlitt, my number of active
clients averages around 600-700 clients.
But on three occurrences in the last week (03/24/06 14:20 EST, 03/26/06
16:30 EST and 03/31/06 10:45 EST), the number of active clients quickly
rose to 1500-2500. That high number of clients lasts for around an hour,
then goes down. Here's a RRDtool graph showing the last spike:
http://132.214.200.200/stats/clients-spike.png
My Cisco router sees that as a DDoS attack, and starts to do all kind of
counter measures that affect our users' normal traffic.
In case anyone is having the same problem, Cisco has a document
describing its DDoS counter measures: http://xrl.us/knnp
Setting
#ip inspect one-minute high 1500
#ip inspect one-minute low 1200
seem to have solved the counter measures problem. From the Java GUI,
it's in Configure, Additional Tasks, Inspection Rule Editor, Global
Settings.
However, I would be interested in knowing a bit more about the cause of
this surge in clients. I guess this is because, during that time, my NTP
server shows up in the DNS response for pool.ntp.org. If that's the
case, would it be possible for the DNS servers to return a server more
often but for shorter amounts of time, in order to spread the load on
the NTP servers?
Have a good week-end,
GFK's
--
Guillaume Filion, ing. jr
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Key and more: http://guillaume.filion.org/
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
