Recent NTP pool traffic increase

Denys Fedoryshchenko denys at visp.net.lb
Mon Dec 19 19:11:24 UTC 2016


I noticed now many customers using tp-links reported issues with 
internet connection.
Analyzing internet traffic, i noticed that tp-link seems excessively 
requesting ntp from those ip addresses, and not trying others:

  > 192.5.41.40.123: NTPv3, Client, length 48
  > 192.5.41.41.123: NTPv3, Client, length 48
  > 133.100.9.2.123: NTPv3, Client, length 48

I'm asking customer to make photo of device, to retrieve model and 
revision, and checking other customers as well, if they are abusing same 
servers.

On 2016-12-19 20:33, Ca By wrote:
> My WAG is that the one plus updated firmeware on that day and they 
> baked in
> the pool.
> 
> Complete WAG, but time and distributed sources including wireless 
> networks
> 
> 
> On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont 
> <admin at coldnorthadmin.com>
> wrote:
> 
>> I also have a similar experience with an increased load.
>> 
>> 
>> 
>> I'm running a pretty basic Linode VPS and I had to fine tune a few
>> 
>> things in order to deal with the increased traffic. I can clearly see 
>> a
>> 
>> date around the 14-15 where my traffic increases to 3-4 times the 
>> usual
>> 
>> amounts.
>> 
>> 
>> 
>> I did a quick dump and in 60 seconds I was hit by slightly over 190K 
>> IPs
>> 
>> 
>> 
>> http://i.imgur.com/mygYINk.png
>> 
>> 
>> 
>> Weird stuff
>> 
>> 
>> 
>> Laurent
>> 
>> 
>> 
>> 
>> 
>> On 12/17/2016 10:25 PM, Gary E. Miller wrote:
>> 
>> > Yo All!
>> 
>> >
>> 
>> > On Sat, 17 Dec 2016 17:54:55 -0800
>> 
>> > "Gary E. Miller" <gem at rellim.com> wrote:
>> 
>> >
>> 
>> >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
>> 
>> >>
>> 
>> >> And I do indeed get odd results.  Some on my local network...
>> 
>> > To follow up on my own post, so this can be promply laid to rest.
>> 
>> >
>> 
>> > After some discussion at NTPsec.  It seems that chronyd takes a lot
>> 
>> > of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
>> 
>> > just 'odd', and not new.
>> 
>> >
>> 
>> > So, nothing see here, back to the hunt for the real cause of the new
>> 
>> > NTP traffic.
>> 
>> >
>> 
>> > RGDS
>> 
>> > GARY
>> 
>> >
>> ---------------------------------------------------------------------------
>> 
>> > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>> 
>> >       gem at rellim.com  Tel:+1 541 382 8588
>> 
>> 
>> 
>> 



More information about the NANOG mailing list