Recent NTP pool traffic increase
admin at coldnorthadmin.com
Tue Dec 20 05:18:18 UTC 2016
If anything comes from this, I'd love to hear about it. As a student in
the field, this is the kind of stuff I live for! ;)
Pretty awesome to see the chain of events after seeing a post on the
On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:
> replying off list.
> Justin Paine
> Head of Trust & Safety
> Cloudflare Inc.
> PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
> On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog at drown.org> wrote:
>> Quoting David <opendak at shaw.ca>:
>>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>>> I found devices doing lookups for all of these at the same time
>>>>> and then it proceeds to use everything returned, which explains why
>>>>> everyone is seeing an increase.
>>>> Thanks, David. That perfectly matches the list of servers used by
>>>> older versions of the ios-ntp library, which would point toward
>>>> some iPhone app being the source of the traffic.
>>> That would make sense - I see a lot of iCloud related lookups from these
>>> hosts as well.
>>> Also, app.snapchat.com generally seems to follow just after the NTP pool
>>> DNS lookups. I don't have an iPhone to test that though.
>> Confirmed - starting up the iOS Snapchat app does a lookup to the domains
>> you listed, and then sends NTP to every unique IP. Around 35-60 different
>> Anyone have a contact at Snapchat?
More information about the NANOG