IETF Logo Mail Archive

Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT

Miroslav Lichvar <mlichvar@redhat.com> Thu, 05 March 2020 11:12 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2186F3A0BCE for <ntp@ietfa.amsl.com>; Thu, 5 Mar 2020 03:12:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rfq2qSeBNwHR for <ntp@ietfa.amsl.com>; Thu, 5 Mar 2020 03:12:02 -0800 (PST)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F62A3A0BCB for <ntp@ietf.org>; Thu, 5 Mar 2020 03:12:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583406721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FCLljvHkiz3RPSmdnmQt/hPgPtWJLkYrjB9r0hjyFxY=; b=TEcow0XRCoFEEvSoGVHkQqZHibGv4SrofJYTn2lqGjKj/Qs1uatZPw5xSvbr5sPs2PhpTo e8mUG7denzcb/sin0MM7tQAw8huPkQ9EhPtj3oUduAGroSxnr2vSRulGAeRHk5tP464uQj OFY+NJv+eUkgGlQQkaezMenULQz3VAA=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-321-DBjmhmFZNGaJkbYCPTrYIw-1; Thu, 05 Mar 2020 06:11:57 -0500
X-MC-Unique: DBjmhmFZNGaJkbYCPTrYIw-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9C330101FC60; Thu, 5 Mar 2020 11:11:56 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EB2D573891; Thu, 5 Mar 2020 11:11:55 +0000 (UTC)
Date: Thu, 05 Mar 2020 12:11:54 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <20200305111154.GL14026@localhost>
References: <mlichvar@redhat.com> <20200305094205.GK14026@localhost> <20200305104704.273D640605C@ip-64-139-1-69.sjc.megapath.net>
MIME-Version: 1.0
In-Reply-To: <20200305104704.273D640605C@ip-64-139-1-69.sjc.megapath.net>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/ErLRlN5rHSzUfgYin94SAFoDLPw>
Subject: Re: [Ntp] Rate limiting: DDoS, KoD, Pool, NAT
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 11:12:04 -0000

On Thu, Mar 05, 2020 at 02:47:04AM -0800, Hal Murray wrote:
> What fraction of the clients are "full"?  Is there an easy way for a server to 
> test?  If so, I'll see if I can collect some data.  That seems like a 
> generally useful piece of data for discussions like this.

Using tcpdump you can collect transmit timestamps of the server and
origin timestamps of the clients and then find matching timestamps.

Most clients are SNTP and set the origin timestamp to zero or a
different constant. IIRC, in my tests it's not more than 10-20% of
clients being "full". It varies between countries.

> Does that work in the case where there are several/many clients behind a NAT 
> box?

Yes, it does.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email