NTP server stability since day one


#1

I’ve joined to have my server be available in the ntp pool but poor scores prevent it from being used. I’ve added it to the beta system and it was running fine then bottom dropped out and it stays like that. Any help would be appreciated to make it more stable.

https://web.beta.grundclock.com/scores/70.35.192.50

Thank you.
Marek


#2

That’s what I get as a response from your server:

~$ ntpdate -d 70.35.192.50
21 Mar 16:54:22 ntpdate[29701]: ntpdate 4.2.6p5@1.2349-o Wed Jul 12 12:22:59 UTC 2017 (1)
Looking for host 70.35.192.50 and service ntp
host found : 70.35.192.50
transmit(70.35.192.50)
receive(70.35.192.50)
21 Mar 16:54:22 ntpdate[29701]: 70.35.192.50 rate limit response from server.
70.35.192.50: Server dropped: no data
server 70.35.192.50, port 123
stratum 0, precision 0, leap 00, trust 000
refid [70.35.192.50], delay 0.00000, dispersion 64.00000
transmitted 1, in filter 0
reference time:    00000000.00000000  Mon, Jan  1 1900  1:00:00.000
originate timestamp: 00000000.00000000  Mon, Jan  1 1900  1:00:00.000
transmit timestamp:  de5cfeae.a17612a7  Wed, Mar 21 2018 16:54:22.630
filter delay:  0.00000  0.00000  0.00000  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000

#3

It looks like you might be aggressively rate limiting, is that possible? One of the monitors does 3 queries (with a couple seconds between each) and it sometimes gets a “RATE” “Kiss of death” response.

https://web.beta.grundclock.com/scores/70.35.192.50/log?limit=500&monitor=18


#4

Thank you for your responses.

Here is what I have in my config, thoughts?

# By default, exchange time with everybody, but don't allow configuration. restrict default kod limited nomodify notrap nopeer noquery limited restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict -6 ::1 restrict ::1


#5

Hey there, I’m still seeing instability, what settings should I use to make it go in the pool?


#6

It looks better now, doesn’t it? The problem on the beta system for your IP appears to be network connectivity to the monitor in Zurich (but it’s been working better the last few days, right?)


#7

Actually this is what I did and it might actually make my box vulnerable to flooding:

restrict -20 default kod notrap nomodify nopeer noquery limited
restrict -10 default kod notrap nomodify nopeer noquery limited

Not too entirely sure why I need two lines exactly the same with different numbers, but here it is. This seemed to make things better.

Should this be adjusted in any way?


#8

I think those restrict lines are ignored by ntpd as there can be only -4 or -6 for IPv4 or IPv6 respectively.

It seems 70.35.192.50 is responding to ntpq/ntpdc queries. That’s not good. You need to add a valid restrict default line to your config to prevent your server from being used in amplification attacks.


#9

What would that restrict line look like?

I added this line after you posted your message, but that is causing the querries to be blocked so I removed it.
restrict default kod limited nomodify notrap nopeer noquery limited

So now I have the following:
#restrict default kod limited nomodify notrap nopeer noquery limited
restrict -20 default kod notrap nomodify nopeer noquery limited
restrict -10 default kod notrap nomodify nopeer noquery limited


#10

What you said makes sense that these values would be ignored as it is working perfectly with them. As soon as I changed it to -4 and -6 respectively all went down.

I really would love to have this working as it should but since 3/20 I cannot get anyone to help with the config. I am running Ubuntu 12 and a standard ntp distribution, nothing fancy.

Help anyone?


#11

This is actually what I have now, and will not be changing until I get a solid answer as I do not want to be a source of DDoS attack.

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
discard average 5 minimum 1

This does not seem to be working at all either. Here are the results:

https://web.beta.grundclock.com/scores/70.35.192.50


#12

If the monitoring nodes are sending only 3 packets, I don’t think discard average of 5 should trigger rate limiting (and a KoD response).

What ntp version is in Ubuntu 12? Maybe it’s just a bug that was present in older versions.

I’d suggest to disable the rate limiting (i.e. remove the limited and kod options from the restrict lines).


#13

I’m sorry, it’s Ubuntu 14 not 12, my mistake.

The version of ntpd is 4.2.6p5

I removed both kod and limited and the monitors are starting to pick it up again from -99. I assume we need both of kod and limited so how do I make sure it works properly?