[Ntp] Rate limiting: DDoS, KoD, Pool, NAT
Hal Murray <hmurray@megapathdsl.net> Mon, 24 February 2020 23:45 UTC
Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E513A15A4 for <ntp@ietfa.amsl.com>; Mon, 24 Feb 2020 15:45:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.135
X-Spam-Level: *
X-Spam-Status: No, score=1.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HDRS_LCASE=0.1, HELO_DYNAMIC_IPADDR=1.951, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0Alqoa36-A8 for <ntp@ietfa.amsl.com>; Mon, 24 Feb 2020 15:45:13 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 417843A15A2 for <ntp@ietf.org>; Mon, 24 Feb 2020 15:45:12 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 56E2D40605C; Mon, 24 Feb 2020 15:45:12 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: NTP WG <ntp@ietf.org>
cc: Hal Murray <hmurray@megapathdsl.net>
From: Hal Murray <hmurray@megapathdsl.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 24 Feb 2020 15:45:12 -0800
Message-Id: <20200224234512.56E2D40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/277poEV0mO_Yz7DOiM9AXAYVjEo>
Subject: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 23:45:14 -0000
The rate limiting parameters in ntpd were carefully setup to support iburst from a single client at an IP Address. With NAT now widely deployed, a single client per IP Address is no longer a valid assumption. I have a couple of servers in the pool. Rate limiting is disabled to support NAT. I watch the MRU statistics, looking for piggy/abusive users. Samples below. I've seen a few samples that look like NAT and some that look like abuse. Has anybody else considered this area? Is there a rate limiting that will serve NAT sites without being useful for DoS redirection? Does KoD make sense when NAT might be in use? Are there cases where it does make sense and the client software will pay attention? Do we need something like a registry for NAT sites with lots of clients? What else is tangled up in this area? lstint avgint rstr r m v count rport remote address ===================================================== 45551 0.000 d0 . 3 4 113844 123 80.227.74.22 45552 0.001 d0 . 3 4 16861 123 83.111.252.81 10428 0.001 d0 . 3 3 182510 123 201.137.1.30 2921 0.001 d0 . 3 3 152890 123 206.41.87.114 52234 0.002 d0 . 3 3 99361 123 41.248.137.100 29652 0.004 d0 . 3 4 20070 123 24.142.249.46 4198 0.019 d0 . 3 4 6833 770 79.238.21.109 30988 0.029 0 . 6 2 12273 47130 ::1 45987 0.031 d0 . 3 3 1814 56808 2a02:c7f:5e2d:ea00:3402:95ae:ae2b:3df3 19252 0.037 d0 . 3 4 1536 50968 207.177.62.245 24671 0.041 d0 . 3 4 3539 52423 100.16.244.234 1014 0.041 d0 . 3 4 2240 20139 159.100.164.32 55206 0.044 d0 . 3 4 3552 3796 38.111.102.2 43232 0.057 d0 . 3 3 1962 47778 223.196.172.241 47928 0.064 d0 . 3 4 2416 26154 4.14.1.34 -- These are my opinions. I hate spam.
- [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Salz, Rich
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Tony Finch
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Miroslav Lichvar
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Miroslav Lichvar
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Miroslav Lichvar
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Philip Prindeville
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Philip Prindeville
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Philip Prindeville
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Christer Weinigel
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Dieter Sibold
- Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT Hal Murray