Recent NTP pool traffic increase

Jad Boutros jad at snap.com
Tue Dec 20 05:27:15 UTC 2016


We - at Snap - were forwarded this thread just a few hours ago and are
investigating. Please email me should you still be looking for a contact
for Snapchat.

Thank you,
Jad

On Mon, Dec 19, 2016 at 9:18 PM, Laurent Dumont <admin at coldnorthadmin.com>
wrote:

> If anything comes from this, I'd love to hear about it. As a student in
> the field, this is the kind of stuff I live for! ;)
>
> Pretty awesome to see the chain of events after seeing a post on the
> [pool] list!
>
> Laurent
>
> On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:
>
>> replying off list.
>>
>> ____________
>> Justin Paine
>> Head of Trust & Safety
>> Cloudflare Inc.
>> PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
>>
>>
>> On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog at drown.org> wrote:
>>
>>> Quoting David <opendak at shaw.ca>:
>>>
>>>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>>
>>>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>>>
>>>>>> I found devices doing lookups for all of these at the same time
>>>>>>
>>>>>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.
>>>>>> pool.ntp.org
>>>>>> and then it proceeds to use everything returned, which explains why
>>>>>> everyone is seeing an increase.
>>>>>>
>>>>>
>>>>> Thanks, David. That perfectly matches the list of servers used by
>>>>> older versions of the ios-ntp library[1][2], which would point toward
>>>>> some iPhone app being the source of the traffic.
>>>>>
>>>>> [1]
>>>>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0
>>>>> c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>>>>> [2]
>>>>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9d
>>>>> ec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>>>>
>>>>> That would make sense - I see a lot of iCloud related lookups from
>>>> these
>>>> hosts as well.
>>>>
>>>> Also, app.snapchat.com generally seems to follow just after the NTP
>>>> pool
>>>> DNS lookups. I don't have an iPhone to test that though.
>>>>
>>>
>>> Confirmed - starting up the iOS Snapchat app does a lookup to the domains
>>> you listed, and then sends NTP to every unique IP.  Around 35-60
>>> different
>>> IPs.
>>>
>>> Anyone have a contact at Snapchat?
>>>
>>
>


More information about the NANOG mailing list