[afnog] How do you maintain your ntp server ?

Kisakye Alex kisakye at gmail.com
Mon Jun 4 12:01:59 UTC 2018 

Hello Willy,
As mentioned, I think its better to rate limit rather than block access to
you time server.
As a person who greatly relied on time servers in the UK at the time when
Africa has very few servers, it would be sad if we started blocking access
to essential services once we find our feet.

Alex

On Mon, Jun 4, 2018 at 12:46 PM, Willy MANGA <mangawilly at gmail.com> wrote:

> Hi Nishal
>
> Le 04/06/2018 à 10:31, Nishal Goburdhan a écrit :
> > On 2 Jun 2018, at 17:52, Willy MANGA wrote:
> >
> >> Hello,
> >> for those here who have ntp server in africa.pool.ntp.org [1] , how do
> >> you manage the traffic on your server ?
> >
> > iirc, you’re allowed to set a “bandwidth” limit on the server, that then
> > tries to send you a percentage of queries.  something along the lines of
> > a 10mb/s link, work attract less than 100mb/s etc.
>
> Done
>
> > (by way of comparison, iirc, our hosts are set to gigE, and, we see on
> > average 5mb/s of constant traffic to each, with “abuse” peaks to about
> > 30mb/s.  abuse peaks don’t appear to be spread across all hosts though;
> > we’d frequently see peaks to a single host;  whilst the other two are
> > untroubled)
> >
> >
> >> Do you restrict access to network within africa ?
> >
> > no.  it’s a public service.  i don’t think we’ve ever tried to map where
> > requests come from, as that’s not our area of interest.
> > /shrug.
>
>
> Indeed it's a public service. My concern was about requests coming from
> countries (in another continent) when (from my point of view) there are
> already many ntp servers in their area.
>
> But you are right, it should stay open to all.
>
> >> How do you deal with those who abusively poll your server(from my
> >> little experience, almost
> >> the same usual suspects ... :) )
> >
> > there are some tips on ntp.org for securing the server in general.  we
> > don’t block any addresses, but do rate-limit the overall host.
> > i’m curious;  what abuse are you seeing?
>
> There are two countries that I would not cite here who send tons of
> requests to my ntp server [1]. There are not located in Africa and I'm
> sure the real intent is not to 'simply' ask time.
> Besides, if I look further, it's the same who query all my infra.
>
> I may be wrong but I consider it as an abuse.
> I don't bother to see incoming requests from everywhere except from
> malicious authors.
>
> Rate-limit is a good workaround; I will implement it.
>
> By the way, can more people/organisations with better resources than me
> can join hte NTP pool ? :)
>
>
> 1. It looks like it's the first in my country (cameroon) ... hope more
> will follow one day ...
>
>
> --
> Willy Manga
> @ongolaboy
> https://ongola.blogspot.com/
>
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20180604/dea68d39/attachment.html>

More information about the afnog mailing list