> Hi, > > I removed my server from www.pool.ntp.org quite some time ago, I think it > was in July. I run an iptables based traffic counting. And today I still see > many requests to UDP port 123 on that machine. Right now more than 200 > packets in one minute. How come? For me it looks as if outdated DNS data was > available and is being used.
I'm certain that many people are going to say the same thing and maybe someone will respond before I even finish typing this. NTP servers will typically perform a DNS lookup when they start. However, once they start, they will never do another DNS lookup for the duration of their execution. Also many Unix style computers remain up and running for months to years without being rebooted. So yes, you're going to see a lot of NTP traffic long after you've left the pool. And if you examine the IP addresses of the traffic you're seeing, you'll see a lot of repeats from the same IP addessses. And you're going to continue seeing traffic from those IP address until each individual box is eventually rebooted. And a large amount of the traffic you're seeing will be from badly configured NTP clients. Like getting hit multiple times in the same minute or even second. And sorry to tell you, but setting up some firewall rules to exclude that traffic frequently won't help, since many of the abusive clients when they stop seeing responses, simple step up their request rate in an attempt to get a response. So all I can you is be patient. The traffic will go down slowly over time. _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
