Recent NTP pool traffic increase

Jad Boutros jad at snap.com
Tue Dec 20 18:58:57 UTC 2016


Immediately after being notified that our latest iOS release was causing
problems with NTP traffic, we started working to disable the offending code
in v9.45. We submitted a new mobile release to the Apple App Store earlier
this morning for their review, which should disable these NTP requests. We
are hoping Apple will be able to review this release in time before the
holiday break, and we have stressed its urgency. When the release does get
approved, we should very quickly begin to see a decrease in NTP traffic
from our app as users start upgrading to the new release.

We deeply regret this situation, and we will post an update here once we
hear back from Apple. We are also open to any suggestions on how we can
help with the present traffic.

On Mon, Dec 19, 2016 at 9:27 PM, Jad Boutros <jad at snap.com> wrote:

> We - at Snap - were forwarded this thread just a few hours ago and are
> investigating. Please email me should you still be looking for a contact
> for Snapchat.
>
> Thank you,
> Jad
>
> On Mon, Dec 19, 2016 at 9:18 PM, Laurent Dumont <admin at coldnorthadmin.com>
> wrote:
>
>> If anything comes from this, I'd love to hear about it. As a student in
>> the field, this is the kind of stuff I live for! ;)
>>
>> Pretty awesome to see the chain of events after seeing a post on the
>> [pool] list!
>>
>> Laurent
>>
>> On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:
>>
>>> replying off list.
>>>
>>> ____________
>>> Justin Paine
>>> Head of Trust & Safety
>>> Cloudflare Inc.
>>> PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
>>>
>>>
>>> On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog at drown.org> wrote:
>>>
>>>> Quoting David <opendak at shaw.ca>:
>>>>
>>>>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>>>
>>>>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>>>>
>>>>>>> I found devices doing lookups for all of these at the same time
>>>>>>>
>>>>>>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania
>>>>>>> ,africa}.pool.ntp.org
>>>>>>> and then it proceeds to use everything returned, which explains why
>>>>>>> everyone is seeing an increase.
>>>>>>>
>>>>>>
>>>>>> Thanks, David. That perfectly matches the list of servers used by
>>>>>> older versions of the ios-ntp library[1][2], which would point toward
>>>>>> some iPhone app being the source of the traffic.
>>>>>>
>>>>>> [1]
>>>>>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0
>>>>>> c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>>>>>> [2]
>>>>>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9d
>>>>>> ec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>>>>>
>>>>>> That would make sense - I see a lot of iCloud related lookups from
>>>>> these
>>>>> hosts as well.
>>>>>
>>>>> Also, app.snapchat.com generally seems to follow just after the NTP
>>>>> pool
>>>>> DNS lookups. I don't have an iPhone to test that though.
>>>>>
>>>>
>>>> Confirmed - starting up the iOS Snapchat app does a lookup to the
>>>> domains
>>>> you listed, and then sends NTP to every unique IP.  Around 35-60
>>>> different
>>>> IPs.
>>>>
>>>> Anyone have a contact at Snapchat?
>>>>
>>>
>>
>


More information about the NANOG mailing list