[afnog] How do you maintain your ntp server ?

Nishal Goburdhan nishal at controlfreak.co.za
Tue Jun 5 14:09:51 UTC 2018


On 4 Jun 2018, at 12:46, Willy MANGA wrote:

> Indeed it's a public service. My concern was about requests coming 
> from
> countries (in another continent) when (from my point of view) there 
> are
> already many ntp servers in their area.

meh.  it’s one internet.  i silently (and sometimes not-so-silently) 
make fun of people who seem to think that IP addresses “belong” to a 
region.   :-)


> But you are right, it should stay open to all.

:-)


> There are two countries that I would not cite here who send tons of
> requests to my ntp server [1]. There are not located in Africa and I'm
> sure the real intent is not to 'simply' ask time.
> Besides, if I look further, it's the same who query all my infra.

lesson #1 : traffic doesn’t come from “countries”;  it comes from 
networks.  if you truly believe that this is malicious, then you 
*should* act against it.  that means that you probably want to engage 
your ISP, and their transit ISP, to backtrack, and identify the source.


> I may be wrong but I consider it as an abuse.

it’s your network;  and you are providing access to the resource, so, 
if you feel it’s abuse, feel free to limit it.  a pf rule, (or 
whatever linux poison you are suffering), could be used to limit the 
source on your device.  and if it’s causing problems upstream by 
clogging your pipes, ask your ISP for help.  i’d given you some 
numbers on the traffic that i see;  use that (and other data that others 
here might give you) to figure out if you are truly being abused, and 
create your policy based on that.

on the other hand … you might also be seeing the residual part of 
someone that has a problem, and it may be worth your while reaching out 
to the network in question to let them know of the problem they’re 
creating for you.  it certainly won’t be the first time that ntp has 
created interesting traffic. [2]  consider that they might be merrily 
unaware that they’re creating issues for you …

to provide you with some more data, i pulled 10x 1000 packet samples, 
over a semi-random period of time, and from super-quick analysis, i see 
that we do indeed attract packets that are not “from africa”.  
interestingly enough, *all* of these appear to be v4 requests (vs. the 
more common v3 requests).  so that might be worth looking into, as an 
interesting data point.  happy to continue chatting off-list if you’d 
like.

—n.

[1]  http://pages.cs.wisc.edu/~plonka/netgear-sntp/



More information about the afnog mailing list