[afnog] How do you maintain your ntp server ?

Willy MANGA mangawilly at gmail.com
Mon Jun 4 10:46:02 UTC 2018


Hi Nishal

Le 04/06/2018 à 10:31, Nishal Goburdhan a écrit :
> On 2 Jun 2018, at 17:52, Willy MANGA wrote:
> 
>> Hello,
>> for those here who have ntp server in africa.pool.ntp.org [1] , how do
>> you manage the traffic on your server ?
> 
> iirc, you’re allowed to set a “bandwidth” limit on the server, that then
> tries to send you a percentage of queries.  something along the lines of
> a 10mb/s link, work attract less than 100mb/s etc.

Done

> (by way of comparison, iirc, our hosts are set to gigE, and, we see on
> average 5mb/s of constant traffic to each, with “abuse” peaks to about
> 30mb/s.  abuse peaks don’t appear to be spread across all hosts though; 
> we’d frequently see peaks to a single host;  whilst the other two are
> untroubled)
> 
> 
>> Do you restrict access to network within africa ?
> 
> no.  it’s a public service.  i don’t think we’ve ever tried to map where
> requests come from, as that’s not our area of interest.
> /shrug.


Indeed it's a public service. My concern was about requests coming from
countries (in another continent) when (from my point of view) there are
already many ntp servers in their area.

But you are right, it should stay open to all.

>> How do you deal with those who abusively poll your server(from my
>> little experience, almost
>> the same usual suspects ... :) )
> 
> there are some tips on ntp.org for securing the server in general.  we
> don’t block any addresses, but do rate-limit the overall host.
> i’m curious;  what abuse are you seeing?

There are two countries that I would not cite here who send tons of
requests to my ntp server [1]. There are not located in Africa and I'm
sure the real intent is not to 'simply' ask time.
Besides, if I look further, it's the same who query all my infra.

I may be wrong but I consider it as an abuse.
I don't bother to see incoming requests from everywhere except from
malicious authors.

Rate-limit is a good workaround; I will implement it.

By the way, can more people/organisations with better resources than me
can join hte NTP pool ? :)


1. It looks like it's the first in my country (cameroon) ... hope more
will follow one day ...


-- 
Willy Manga
@ongolaboy
https://ongola.blogspot.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.afnog.org/pipermail/afnog/attachments/20180604/98b5eb06/attachment.sig>


More information about the afnog mailing list