Finding abusive NTP clients
Hal Murray
hmurray at megapathdsl.net
Sat Apr 16 19:46:13 UTC 2016
ghane0 at gmail.com said:
> lstint avgint rstr r m v count rport remote address ========================
> ======================================================
> 0 0.01 1f0 L 3 4 32250 123 27.126.220.102
> 0 0.02 1f0 L 3 4 35659 123 27.126.220.105
> 0 0.02 1f0 L 3 4 35789 123 27.126.220.106
> 0 0.02 1f0 L 3 4 35766 123 27.126.220.103
> 0 0.02 1f0 L 3 4 35780 123 27.126.220.101
> 0 0.02 1f0 L 3 4 32843 123 27.126.220.104
> 1 0.51 1f0 L 3 3 2877243 18012 202.136.171.166
> 0 1.14 1f0 L 3 4 1282569 54878 52.74.115.126
Wow! The bottom two take the record. If I read that right, they have been
hammering away for over 2 weeks.
52.74.115.126 is Amazon. A polite note to their abuse dept might get some
action. Whois says 202.136.171.166 is NTT SINGAPORE. I don't know how they
will react. You will probably have to explain things to them. See if you
can find out what sort of broken software they are using.
Looks like your server has been up for a long time and also that you are
using the default mrulist setup. ntpq monstats will give you a summary
If you give it more memory, it won't recycle the slots so quickly and you
will be able to see the abusive users who stop after a while. Here is what
I'm using:
rlimit memlock 200
mru initmem 25000 maxmem 150000 maxage 200000
The maxage gets rid of stuff that is 2+ days old. I run a script each night
that saves the mru output. Someday, I should be able dig out the IPv4 vs
IPv6 traffic levels. (If anybody does that before I do, please let me know.)
--
These are my opinions. I hate spam.
More information about the devel
mailing list