Re: [chrony-users] Rate limit question

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


On Wed, Sep 22, 2021 at 08:09:47AM -0500, Steven Sommars wrote:
> Running chrony 4.1-pre1.   chrony.conf has a ratelimit directive
>        ratelimit interval 4 burst 4
> When a large burst (thousands of requests) from one IP arrives, I expect at
> most 4 packets to be sent in one interval (2^4=16 seconds).  Instead I see
> 1 response per 4 requests on average.
> 
> Where did I go wrong?

That is expected behavior. See the leak option of the ratelimit
directive in the chrony.conf man page.

chronyd cannot just stop responding to an address if it appears to be
sending too many requests. We don't know if it is not an attacker
sending requests with a spoofed source address trying to deny the
service to a legitimate client. IIRC we have discussed this on the NTP
WG list.

The purpose of rate limiting is to save some traffic on broken or
misconfigured clients. If you don't respond at all, you save 50% of
the incoming+outgoing traffic. If you respond to 1/4 of requests, you
save only 37.5%, but still allow the client to synchronize in case it
is under an attack.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/