[afnog] How do you maintain your ntp server ?
Loganaden Velvindron
loganaden at gmail.com
Wed Jun 13 14:06:34 UTC 2018
On Wed, Jun 13, 2018 at 5:43 PM, Willy MANGA <mangawilly at gmail.com> wrote:
> Hi,
>
> Le 05/06/2018 à 15:09, Nishal Goburdhan a écrit :
>> On 4 Jun 2018, at 12:46, Willy MANGA wrote:
>>
>>> Indeed it's a public service. My concern was about requests coming from
>>> countries (in another continent) when (from my point of view) there are
>>> already many ntp servers in their area.
>>
>> meh. it’s one internet. i silently (and sometimes not-so-silently)
>> make fun of people who seem to think that IP addresses “belong” to a
>> region. :-)
>
> You got a point here . :)
>
>> lesson #1 : traffic doesn’t come from “countries”; it comes from
>> networks. if you truly believe that this is malicious, then you
>> *should* act against it. that means that you probably want to engage
>> your ISP, and their transit ISP, to backtrack, and identify the source.
>
> So difficult in my country if I need to engage my ISP. Telco world is
> unfortunately very closed :-\ . For instance, I was very fortunate to
> have my ISP collaborate with me when I request IPv6 in my networks.
>
> I hope one day two big managers will tell to their team that there are
> some issues that can be discussed publicly. Look the archives of
> cmNOG[1] for instance. They are suscribed but very few said something :-\
>
> So frustrating from an end-user like me ...
>
Go the PHK way for NTP "vandalism":
https://people.freebsd.org/~phk/dlink/
https://www.engadget.com/2006/04/09/danish-server-admin-exposes-d-links-ntp-vandalism/
>
> 1. https://lists.cmnog.cm/pipermail/cmnog/
>
>>> I may be wrong but I consider it as an abuse.
>>
>> it’s your network; and you are providing access to the resource, so, if
>> you feel it’s abuse, feel free to limit it. a pf rule, (or whatever
>> linux poison you are suffering), could be used to limit the source on
>> your device. and if it’s causing problems upstream by clogging your
>> pipes, ask your ISP for help. i’d given you some numbers on the traffic
>> that i see; use that (and other data that others here might give you)
>> to figure out if you are truly being abused, and create your policy
>> based on that.
>
> Firewall rules have been updated. It works fine right now. Current score
> of my ntp server still 20/20 on IPv4/IPv6 :)
>
>> on the other hand … you might also be seeing the residual part of
>> someone that has a problem, and it may be worth your while reaching out
>> to the network in question to let them know of the problem they’re
>> creating for you. it certainly won’t be the first time that ntp has
>> created interesting traffic. [2] consider that they might be merrily
>> unaware that they’re creating issues for you …
>
> Not a great probability here :)
>
>> to provide you with some more data, i pulled 10x 1000 packet samples,
>> over a semi-random period of time, and from super-quick analysis, i see
>> that we do indeed attract packets that are not “from africa”.
>> interestingly enough, *all* of these appear to be v4 requests (vs. the
>> more common v3 requests). so that might be worth looking into, as an
>> interesting data point. happy to continue chatting off-list if you’d like.
>
> having the same trend here.
>
> When I grab time I'll let you know ;)
>
>
> --
> Willy Manga
> @ongolaboy
> https://ongola.blogspot.com/
>
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
More information about the afnog
mailing list