Recent NTP pool traffic increase
royce at techsolvency.com
Tue Dec 20 15:23:45 UTC 2016
On Mon, Dec 19, 2016 at 12:49 PM, Dan Drown <dan-nanog at drown.org> wrote:
> Quoting David <opendak at shaw.ca>:
>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>> I found devices doing lookups for all of these at the same time
>>>> and then it proceeds to use everything returned, which explains why
>>>> everyone is seeing an increase.
>>> Thanks, David. That perfectly matches the list of servers used by
>>> older versions of the ios-ntp library, which would point toward
>>> some iPhone app being the source of the traffic.
>> That would make sense - I see a lot of iCloud related lookups from these
>> hosts as well.
>> Also, app.snapchat.com generally seems to follow just after the NTP pool
>> DNS lookups. I don't have an iPhone to test that though.
> Confirmed - starting up the iOS Snapchat app does a lookup to the domains
> you listed, and then sends NTP to every unique IP. Around 35-60 different
> Anyone have a contact at Snapchat?
Looks like folks got in touch with them. Thanks!
More information about the NANOG