Recent NTP pool traffic increase

David opendak at shaw.ca
Mon Dec 19 19:52:59 UTC 2016


On 2016-12-19 11:29 AM, Laurent Dumont wrote:
> I also have a similar experience with an increased load.
>
> I'm running a pretty basic Linode VPS and I had to fine tune a few
> things in order to deal with the increased traffic. I can clearly see a
> date around the 14-15 where my traffic increases to 3-4 times the usual
> amounts.

 From a source network point of view we see devices come online and hit 
~35 unique NTP servers within a few seconds.

I'll try to see if I can track down what type of devices they are.

>
> I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs
>
> http://i.imgur.com/mygYINk.png
>
> Weird stuff
>
> Laurent
>
>
> On 12/17/2016 10:25 PM, Gary E. Miller wrote:
>> Yo All!
>>
>> On Sat, 17 Dec 2016 17:54:55 -0800
>> "Gary E. Miller" <gem at rellim.com> wrote:
>>
>>> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
>>>
>>> And I do indeed get odd results.  Some on my local network...
>> To follow up on my own post, so this can be promply laid to rest.
>>
>> After some discussion at NTPsec.  It seems that chronyd takes a lot
>> of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
>> just 'odd', and not new.
>>
>> So, nothing see here, back to the hunt for the real cause of the new
>> NTP traffic.
>>
>> RGDS
>> GARY
>> ---------------------------------------------------------------------------
>>
>> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>>     gem at rellim.com  Tel:+1 541 382 8588
>



More information about the NANOG mailing list