IETF Logo Mail Archive

[Ntp] Rate limiting: DDoS, KoD, Pool, NAT

Hal Murray <hmurray@megapathdsl.net> Mon, 24 February 2020 23:45 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E513A15A4 for <ntp@ietfa.amsl.com>; Mon, 24 Feb 2020 15:45:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.135
X-Spam-Level: *
X-Spam-Status: No, score=1.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HDRS_LCASE=0.1, HELO_DYNAMIC_IPADDR=1.951, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0Alqoa36-A8 for <ntp@ietfa.amsl.com>; Mon, 24 Feb 2020 15:45:13 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 417843A15A2 for <ntp@ietf.org>; Mon, 24 Feb 2020 15:45:12 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 56E2D40605C; Mon, 24 Feb 2020 15:45:12 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: NTP WG <ntp@ietf.org>
cc: Hal Murray <hmurray@megapathdsl.net>
From: Hal Murray <hmurray@megapathdsl.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 24 Feb 2020 15:45:12 -0800
Message-Id: <20200224234512.56E2D40605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/277poEV0mO_Yz7DOiM9AXAYVjEo>
Subject: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 23:45:14 -0000

The rate limiting parameters in ntpd were carefully setup to support iburst 
from a single client at an IP Address.  With NAT now widely deployed, a single 
client per IP Address is no longer a valid assumption.

I have a couple of servers in the pool.  Rate limiting is disabled to support 
NAT.  I watch the MRU statistics, looking for piggy/abusive users.  Samples 
below.

I've seen a few samples that look like NAT and some that look like abuse.

Has anybody else considered this area?  Is there a rate limiting that will 
serve NAT sites without being useful for DoS redirection?

Does KoD make sense when NAT might be in use?  Are there cases where it does 
make sense and the client software will pay attention?

Do we need something like a registry for NAT sites with lots of clients?

What else is tangled up in this area?


 lstint avgint rstr r m v  count rport remote address
=====================================================
  45551  0.000   d0 . 3 4 113844   123 80.227.74.22
  45552  0.001   d0 . 3 4  16861   123 83.111.252.81
  10428  0.001   d0 . 3 3 182510   123 201.137.1.30
   2921  0.001   d0 . 3 3 152890   123 206.41.87.114
  52234  0.002   d0 . 3 3  99361   123 41.248.137.100
  29652  0.004   d0 . 3 4  20070   123 24.142.249.46
   4198  0.019   d0 . 3 4   6833   770 79.238.21.109
  30988  0.029    0 . 6 2  12273 47130 ::1
  45987  0.031   d0 . 3 3   1814 56808 2a02:c7f:5e2d:ea00:3402:95ae:ae2b:3df3
  19252  0.037   d0 . 3 4   1536 50968 207.177.62.245
  24671  0.041   d0 . 3 4   3539 52423 100.16.244.234
   1014  0.041   d0 . 3 4   2240 20139 159.100.164.32
  55206  0.044   d0 . 3 4   3552  3796 38.111.102.2
  43232  0.057   d0 . 3 3   1962 47778 223.196.172.241
  47928  0.064   d0 . 3 4   2416 26154 4.14.1.34


-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email