Re: [time] NTP connections

ntpadmin Mon, 09 Apr 2007 09:48:13 -0700

On Sun, 8 Apr 2007, Hans wrote:

> On Sunday 08 April 2007 14:09, [EMAIL PROTECTED] wrote:
>> On Sun, 8 Apr 2007, Hans wrote:
>>> Hi,
>>>
>>> Last week I switched to another ADSL-provider (cheaper, faster,
>>> better(?)). With the new connection I got another modem. The modem (ST
>>> WL780i) allows only 1024 concurrent connections. NTP-pool delivers me
>>> much more.
>>
>> Are you sure you are reaching the limit ??
>
> I did that once, I try to prevent running into it again, it jeopardises my
> internet connection completely.
>
>>
>> I would find 1024 quite low anyway, linux conntracking supports 65536 at
>> least.
>
> I agree completely, the modem design is not mine.
>
>>
>> Anyway I never get more than 512 conntrack entries for UDP 123. (NTP)
>>
>> You have to remember UDP is connection less anyway.
>
> I'm not a network guru but UDP does create sockets on which a sort of
> connection can be established. E.g.  reply's on SIP requests do get back to
> the correct server without setting NAT, I found out yesterday.
>
> This is (part of) what the modem says:
>
> {Administrator}=>:connection list
> ID   proto state       substate    flags       timeout
> --   ----- -----       --------    -----       -------
> 381  tcp   ACTIVE      [TCPS_ESTABLISHED-TCPS_ESTABLISHED] [.........] 15' 7"
>  INIT: 762   10.  0.  0. 12:51418  10.  0.  0.138:   23 [....] LocalNetwork
> 216 tcp     0
>  RESP: 763   10.  0.  0.138:   23  10.  0.  0. 12:51418 [R...]   loop    178
> tcp     0
> 390  udp   ACTIVE      0           [.........] 44"
>  INIT: 780   10.  0.  0.199: 2152 193. 93. 46. 46:16569 [....] LocalNetwork
> 37337 udp     0
>  RESP: 781  193. 93. 46. 46:16569  89.220. 77.156:55354 [R...] Internet
> 72977 udp     0
> 605  tcp   ACTIVE      [TCPS_ESTABLISHED-TCPS_ESTABLISHED] [.........] 15' 7"
>  INIT: 1210  10.  0.  0.200: 1049 207. 46.109. 50: 1863 [....] LocalNetwork
> 381 tcp     0
>  RESP: 1211 207. 46.109. 50: 1863  89.220. 77.156:55045 [R...] Internet
> 374 tcp     0
> 664  udp   ACTIVE      0           [.........] 43"
>  INIT: 1328  66. 99. 85.250:  385  89.220. 77.156:  123 [....] Internet
> 363 udp     0
>  RESP: 1329  10.  0.  0. 12:  123  66. 99. 85.250:  385 [R...] LocalNetwork
> 147 udp     0
> 562  udp   ACTIVE      0           [.........] 43"
>  INIT: 1124  60.231.113.109:  123  89.220. 77.156:  123 [....] Internet
> 364 udp     0
>  RESP: 1125  10.  0.  0. 12:  123  60.231.113.109:  123 [R...] LocalNetwork
> 148 udp     0
> 525  udp   ACTIVE      0           [.........] 43"
>  INIT: 1050  10.  0.  0.199:55026 193. 93. 46. 46:55025 [....] LocalNetwork
> 1421 udp     0
>  RESP: 1051 193. 93. 46. 46:55025  89.220. 77.156:55367 [R...] Internet
> 0 udp     0
> 495  udp   ACTIVE      0           [.........] 43"
>  INIT: 990  138.232. 65.157:37151  89.220. 77.156:  123 [....] Internet
> 87 udp     0
>  RESP: 991   10.  0.  0. 12:  123 138.232. 65.157:37151 [R...] LocalNetwork
> 84 udp     0
> 936  udp   ACTIVE      0           [.........] 43"
>  INIT: 1872 131.109.225. 34:  277  89.220. 77.156:  123 [....] Internet
> 364 udp     0
>  RESP: 1873  10.  0.  0. 12:  123 131.109.225. 34:  277 [R...] LocalNetwork
> 148 udp     0
> 794  udp   ACTIVE      0           [.........] 43"
>  INIT: 1588  81.175. 75.  1:63100  89.220. 77.156:  123 [....] Internet
> 364 udp     0
>  RESP: 1589  10.  0.  0. 12:  123  81.175. 75.  1:63100 [R...] LocalNetwork
> 148 udp     0
> 32   udp   ACTIVE      0           [.........] 43"
>  INIT: 64    81.  0.176.226:  123  89.220. 77.156:  123 [....] Internet
> 576 udp     0
>  RESP: 65    10.  0.  0. 12:  123  81.  0.176.226:  123 [R...] LocalNetwork
> 576 udp     0
> 473  tcp   ACTIVE      [TCPS_ESTABLISHED-TCPS_ESTABLISHED] [.........] 15' 6"
>  INIT: 946   10.  0.  0.200: 1203  75. 57.135. 87: 8968 [....] LocalNetwork
> 2192 tcp     0
>  RESP: 947   75. 57.135. 87: 8968  89.220. 77.156:56019 [R...] Internet
> 2246 tcp     0
> 317  tcp   ACTIVE      [TCPS_ESTABLISHED-TCPS_ESTABLISHED] [.........] 15' 5"
>  INIT: 634   10.  0.  0.200: 1179  69.145.229. 13:41293 [....] LocalNetwork
> 2136 tcp     0
>  RESP: 635   69.145.229. 13:41293  89.220. 77.156:55992 [R...] Internet
> 2184 tcp     0
> 864  tcp   ACTIVE      [TCPS_ESTABLISHED-TCPS_ESTABLISHED] [.........] 15' 6"
>  INIT: 1728  10.  0.  0.200: 1439 207. 46. 27. 48: 1863 [....] LocalNetwork
> 24 tcp     0
>  RESP: 1729 207. 46. 27. 48: 1863  89.220. 77.156:56704 [R...] Internet
> 23 tcp     0
> 502  udp   ACTIVE      0           [.........] 42"
>  INIT: 1004  24.150. 54.223:63729  89.220. 77.156:  123 [....] Internet
> 363 udp     0
>  RESP: 1005  10.  0.  0. 12:  123  24.150. 54.223:63729 [R...] LocalNetwork
> 147 udp     0
> 234  udp   ACTIVE      0           [.........] 42"
>  INIT: 468   67.155. 45. 66:48271  89.220. 77.156:  123 [....] Internet
> 364 udp     0
>  RESP: 469   10.  0.  0. 12:  123  67.155. 45. 66:48271 [R...] LocalNetwork
> 147 udp     0
> 778  tcp   ACTIVE      [TCPS_ESTABLISHED-TCPS_ESTABLISHED] [.........] 15' 5"
>>
>> So it boils down to : Are you sure you are experiencing a problem because
>> of that 1024 limit ???
>
> More modem output:
>
> {Administrator}=>connection stats
> Connection statistics:
> -------------------------------------------
> Maximum number of connections             : 1024
> Maximum number of halfopen connections    : 1024
> -------------------------------------------
> Number of active connections              : 287
> Number of halfopen connections            : 9
> Number of expected connections            : 0
> Number of loose connections               : 0
> Number of closing connections             : 0
> Number of idle connections                : 99
> Number of mcast connections               : 0
> -------------------------------------------
> Number of TCP connections                 : 46
> Number of UDP connections                 : 241
> Number of ICMP connections                : 0
> Number of non TCP/UDP/ICMP connections    : 0
>
>
> Best regards,
>
> Hans
> _______________________________________________
> timekeepers mailing list
> [email protected]
> https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
>


Your numbers make sense, I assume you could have reached the limit.

UDP is connection-less but your router has to remember a packet went 
trough to route the reply packet. This is called conntracking. ( You never 
see UDP in the ESTABLISHED state, only TCP connection can be ESTABLISHED )

Abusers that query every second keeps an entry in your router conntrack 
table just for themselves while regular clients entries go away after a 
few seconds.

I see 3 solutions :

1) Drop abuser packets, you will end up using half-open connections in 
your modem instead of open connections.

2) Set your bandwidth to 256 Kbs on the pool web site.

3) Set your modem in straight through mode if feasible and use a linux 
firewall, this is what I end up doing most of the time.

Louis
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Re: [time] NTP connections

Reply via email to