<div dir="ltr">Hello Willy,<div>As mentioned, I think its better to rate limit rather than block access to you time server.</div><div>As a person who greatly relied on time servers in the UK at the time when Africa has very few servers, it would be sad if we started blocking access</div><div>to essential services once we find our feet.</div><div><br></div><div>Alex</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 4, 2018 at 12:46 PM, Willy MANGA <span dir="ltr"><<a href="mailto:mangawilly@gmail.com" target="_blank">mangawilly@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Nishal<br>
<span class=""><br>
Le 04/06/2018 à 10:31, Nishal Goburdhan a écrit :<br>
> On 2 Jun 2018, at 17:52, Willy MANGA wrote:<br>
> <br>
>> Hello,<br>
>> for those here who have ntp server in <a href="http://africa.pool.ntp.org" rel="noreferrer" target="_blank">africa.pool.ntp.org</a> [1] , how do<br>
>> you manage the traffic on your server ?<br>
> <br>
> iirc, you’re allowed to set a “bandwidth” limit on the server, that then<br>
> tries to send you a percentage of queries. something along the lines of<br>
> a 10mb/s link, work attract less than 100mb/s etc.<br>
<br>
</span>Done<br>
<span class=""><br>
> (by way of comparison, iirc, our hosts are set to gigE, and, we see on<br>
> average 5mb/s of constant traffic to each, with “abuse” peaks to about<br>
> 30mb/s. abuse peaks don’t appear to be spread across all hosts though; <br>
> we’d frequently see peaks to a single host; whilst the other two are<br>
> untroubled)<br>
> <br>
> <br>
>> Do you restrict access to network within africa ?<br>
> <br>
> no. it’s a public service. i don’t think we’ve ever tried to map where<br>
> requests come from, as that’s not our area of interest.<br>
> /shrug.<br>
<br>
<br>
</span>Indeed it's a public service. My concern was about requests coming from<br>
countries (in another continent) when (from my point of view) there are<br>
already many ntp servers in their area.<br>
<br>
But you are right, it should stay open to all.<br>
<span class=""><br>
>> How do you deal with those who abusively poll your server(from my<br>
>> little experience, almost<br>
>> the same usual suspects ... :) )<br>
> <br>
> there are some tips on <a href="http://ntp.org" rel="noreferrer" target="_blank">ntp.org</a> for securing the server in general. we<br>
> don’t block any addresses, but do rate-limit the overall host.<br>
> i’m curious; what abuse are you seeing?<br>
<br>
</span>There are two countries that I would not cite here who send tons of<br>
requests to my ntp server [1]. There are not located in Africa and I'm<br>
sure the real intent is not to 'simply' ask time.<br>
Besides, if I look further, it's the same who query all my infra.<br>
<br>
I may be wrong but I consider it as an abuse.<br>
I don't bother to see incoming requests from everywhere except from<br>
malicious authors.<br>
<br>
Rate-limit is a good workaround; I will implement it.<br>
<br>
By the way, can more people/organisations with better resources than me<br>
can join hte NTP pool ? :)<br>
<br>
<br>
1. It looks like it's the first in my country (cameroon) ... hope more<br>
will follow one day ...<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
-- <br>
Willy Manga<br>
@ongolaboy<br>
<a href="https://ongola.blogspot.com/" rel="noreferrer" target="_blank">https://ongola.blogspot.com/</a><br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
afnog mailing list<br>
<a href="https://www.afnog.org/mailman/listinfo/afnog" rel="noreferrer" target="_blank">https://www.afnog.org/mailman/<wbr>listinfo/afnog</a><br></blockquote></div><br></div>