Recent NTP pool traffic increase

Dan Drown dan-nanog at drown.org
Mon Dec 19 21:49:11 UTC 2016


Quoting David <opendak at shaw.ca>:
> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>> I found devices doing lookups for all of these at the same time
>>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
>>> and then it proceeds to use everything returned, which explains why
>>> everyone is seeing an increase.
>>
>> Thanks, David. That perfectly matches the list of servers used by
>> older versions of the ios-ntp library[1][2], which would point toward
>> some iPhone app being the source of the traffic.
>>
>> [1]  
>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>> [2]  
>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>
>
> That would make sense - I see a lot of iCloud related lookups from  
> these hosts as well.
>
> Also, app.snapchat.com generally seems to follow just after the NTP  
> pool DNS lookups. I don't have an iPhone to test that though.

Confirmed - starting up the iOS Snapchat app does a lookup to the  
domains you listed, and then sends NTP to every unique IP.  Around  
35-60 different IPs.

Anyone have a contact at Snapchat?



More information about the NANOG mailing list