[Ntp] KISS => NAT => Rate limiting

Hal Murray <halmurray+ietf@sonic.net> Fri, 03 November 2023 03:08 UTC

Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F1AC151076 for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 20:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9klr140LIhDs for <ntp@ietfa.amsl.com>; Thu, 2 Nov 2023 20:08:52 -0700 (PDT)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52C98C15106E for <ntp@ietf.org>; Thu, 2 Nov 2023 20:08:51 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3A338o6Q015155 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 2 Nov 2023 20:08:50 -0700
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 854FB28C20C; Thu, 2 Nov 2023 20:08:50 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: NTP WG <ntp@ietf.org>
cc: Hal Murray <halmurray+ietf@sonic.net>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from Miroslav Lichvar <mlichvar@redhat.com> of "Thu, 02 Nov 2023 10:11:06 +0100." <ZUNnqmnEVDx1538O@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 02 Nov 2023 20:08:50 -0700
Message-Id: <20231103030850.854FB28C20C@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVZwlH+IikWx5XZS70a5Pn53xNCyrYMEFGCGdDlwvCGc2+yyj+9+78SiU2DxL9GC6ktdILAdyo/cy061ONGpmS7BldvjiHIUGv4=
X-Sonic-ID: C;buUFUPZ57hGfX50CP63e0g== M;qgEcUPZ57hGfX50CP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/bUFtTqCAX1Vjz4Udi5ffVEtslg8>
Subject: [Ntp] KISS => NAT => Rate limiting
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 03:08:53 -0000

Yet another problem with KISS is that it doesn't work with NAT.  A server 
can't distinguish a slightly misbehaving client from a handful of clients 
behind a NAT box.

With modern gear, is there any reason to tell a well behaving client to slow 
down?  Should we pick a number, say 64 seconds, and say "Get permission from 
the operator if you want to send faster than that."?  How does that work with 
iburst or ntpdate that send several packets on short intervals and then become 
reasonable?


NAT gets involved with another tangle.  Do we need to think about rate 
limiting so NTP servers can't be used as reflectors to hide the true source of 
a DoS attack?  Is there an IETF group that thinks about UDP and rate limiting?


I've been using a limit of 1 packet per second on a couple of pool servers.  
That seems generous.  I've got a 20 second time constant on the filter so 
short bursts will work.  Even if they are all polling at 64 seconds, that will 
handle several boxes behind NAT.  (Handwave about getting started if they use 
iburst and all start at the same time like after a power failure and you are 
on the high side of several...)

If you look at the traffic, and ignore the known broken senders, there is 
another layer of busy boxes.  They are borderline abusive, more than 1 packet 
per second, less than 1000s that we get from the seriously broken boxes.  I 
think they are NAT.  I should probably try harder to contact the owners...



I can see 2 approaches to getting around rate limiting if we decide that is 
appropriate.

One is to get ISPs to run NTP servers and their customers to use them.

The other is to setup a registry for IP Addresses of NAT boxes and have the 
servers allow more traffic from them.

Any other ideas?


-- 
These are my opinions.  I hate spam.