Re: [time] Abusive Clients, Brazilian Servers

Fri, 25 Apr 2008 21:18:32 -0700

Just for grins, I turned on a tcpdump of my traffic. It's amazing how many different people/organizations use the NTP pool. I noticed an unnamed national lab is very very chatty to external NTP servers. It's odd that they'd get their time from external servers. Where I work, our network doesn't allow NTP traffic out, you have to use internal servers. 
---
Brandon West
[EMAIL PROTECTED]
---
QOTD - "Life is fraught with opportunities to keep your mouth shut."





On Apr 25, 2008, at 8:44 PM, John Pettitt wrote:


Matt Wagner wrote:

I recently added a second server to the pool. It's in Pennsylvania
(USA), but was incorrectly placed in the South America / Brazil zones, 
presumably via a bad entry in GeoIP.

An interesting aside, it's getting 8 queries a second, set to 3 Mbps.
My Texas server is set to 10 Mbps and sees about 0.8 a second.
Probably because South America has a mere 16 servers, whereas North
America has 550.
I've noticed that, although I'm being inundated with queries, most are coming from a handful of badly-behaved clients. The top 10 queries are 
hitting me every 8 seconds or less. The worst offender
(gestum01.datadrome.net / 200.203.122.235) is querying me at the
insane rates of TWO queries every second. (e.g., every 500ms.)
I've never had to deal with this before... How do you guys block these nuts? It's just a handful of badly-configured clients, so I don't want to leave the pool entirely. I'm not sure how the KoD works, nor how to 
configure it. Do most clients respect that, or do I have to look at
firewalling? Does ntod respect /etc/hosts.deny?

(As an aside, do you think it makes sense for me to stay as a Brazil
server? Obviously, my time quality will be degraded, but Brazil seems
awfully under-represented in terms of NTP hosts.)

-- Matt


I have a script I run that adds bad servers to my ipfw tables (this on
freebsd) my server that is set to gigabit is currently blocking 82
IP's.   If they stop trying to talk to me for more than an hour it
unblocks them.

Once it a while I lookup the IP and email the admin - sometimes it
actually works.

John
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers



_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Reply via email to