Recent NTP pool traffic increase (update)

Denys Fedoryshchenko denys at visp.net.lb
Mon Dec 19 19:22:11 UTC 2016


Many sorry! Update, seems illiterate in english (worse than me, hehe) 
customer was not precise about model of router, while he reported issue.

I noticed now many customers using specific models of routers reported 
issues with internet connection.
Analyzing internet traffic, i noticed that this routers seems 
excessively requesting ntp from those ip addresses, and not trying 
others:

  > 192.5.41.40.123: NTPv3, Client, length 48
  > 192.5.41.41.123: NTPv3, Client, length 48
  > 133.100.9.2.123: NTPv3, Client, length 48

I'm asking customer to make photo of device, to retrieve model and 
revision, and checking other customers as well, if they are abusing same 
servers.
There is definitely pattern, that all of them are using just this 3 
hardcoded servers. Problem is that many customers are changing mac of 
router, so i cannot clearly
identify vendor by first mac nibbles.
He sent me 2 photos, one of them LB-Link (mac vendor lookup 20:f4:1b 
says Shenzhen Bilian electronic CO.,LTD), another is Tenda (c8:3a:35 is 
Tenda).
If it is necessary i can investigate further.


On 2016-12-19 20:33, Ca By wrote:
> My WAG is that the one plus updated firmeware on that day and they 
> baked in
> the pool.
> 
> Complete WAG, but time and distributed sources including wireless 
> networks
> 
> 
> On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont 
> <admin at coldnorthadmin.com>
> wrote:
> 
>> I also have a similar experience with an increased load.
>> 
>> 
>> 
>> I'm running a pretty basic Linode VPS and I had to fine tune a few
>> 
>> things in order to deal with the increased traffic. I can clearly see 
>> a
>> 
>> date around the 14-15 where my traffic increases to 3-4 times the 
>> usual
>> 
>> amounts.
>> 
>> 
>> 
>> I did a quick dump and in 60 seconds I was hit by slightly over 190K 
>> IPs
>> 
>> 
>> 
>> http://i.imgur.com/mygYINk.png
>> 
>> 
>> 
>> Weird stuff
>> 
>> 
>> 
>> Laurent
>> 
>> 
>> 
>> 
>> 
>> On 12/17/2016 10:25 PM, Gary E. Miller wrote:
>> 
>> > Yo All!
>> 
>> >
>> 
>> > On Sat, 17 Dec 2016 17:54:55 -0800
>> 
>> > "Gary E. Miller" <gem at rellim.com> wrote:
>> 
>> >
>> 
>> >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
>> 
>> >>
>> 
>> >> And I do indeed get odd results.  Some on my local network...
>> 
>> > To follow up on my own post, so this can be promply laid to rest.
>> 
>> >
>> 
>> > After some discussion at NTPsec.  It seems that chronyd takes a lot
>> 
>> > of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
>> 
>> > just 'odd', and not new.
>> 
>> >
>> 
>> > So, nothing see here, back to the hunt for the real cause of the new
>> 
>> > NTP traffic.
>> 
>> >
>> 
>> > RGDS
>> 
>> > GARY
>> 
>> >
>> ---------------------------------------------------------------------------
>> 
>> > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>> 
>> >       gem at rellim.com  Tel:+1 541 382 8588
>> 
>> 
>> 
>> 


More information about the NANOG mailing list