Recent NTP pool traffic increase

Peter Beckman beckman at angryox.com
Tue Dec 20 23:11:11 UTC 2016


Mostly out of curiosity, what was the reason for the change in the Snapchat
code, and what plans does Snap have for whatever reason the NTP change was
put in place?

Beckman

On Tue, 20 Dec 2016, Jad Boutros via NANOG wrote:

> Immediately after being notified that our latest iOS release was causing
> problems with NTP traffic, we started working to disable the offending code
> in v9.45. We submitted a new mobile release to the Apple App Store earlier
> this morning for their review, which should disable these NTP requests. We
> are hoping Apple will be able to review this release in time before the
> holiday break, and we have stressed its urgency. When the release does get
> approved, we should very quickly begin to see a decrease in NTP traffic
> from our app as users start upgrading to the new release.
>
> We deeply regret this situation, and we will post an update here once we
> hear back from Apple. We are also open to any suggestions on how we can
> help with the present traffic.
>
> On Mon, Dec 19, 2016 at 9:27 PM, Jad Boutros <jad at snap.com> wrote:
>
>> We - at Snap - were forwarded this thread just a few hours ago and are
>> investigating. Please email me should you still be looking for a contact
>> for Snapchat.
>>
>> Thank you,
>> Jad
>>
>> On Mon, Dec 19, 2016 at 9:18 PM, Laurent Dumont <admin at coldnorthadmin.com>
>> wrote:
>>
>>> If anything comes from this, I'd love to hear about it. As a student in
>>> the field, this is the kind of stuff I live for! ;)
>>>
>>> Pretty awesome to see the chain of events after seeing a post on the
>>> [pool] list!
>>>
>>> Laurent
>>>
>>> On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:
>>>
>>>> replying off list.
>>>>
>>>> ____________
>>>> Justin Paine
>>>> Head of Trust & Safety
>>>> Cloudflare Inc.
>>>> PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
>>>>
>>>>
>>>> On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog at drown.org> wrote:
>>>>
>>>>> Quoting David <opendak at shaw.ca>:
>>>>>
>>>>>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>>>>
>>>>>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>>>>>
>>>>>>>> I found devices doing lookups for all of these at the same time
>>>>>>>>
>>>>>>>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania
>>>>>>>> ,africa}.pool.ntp.org
>>>>>>>> and then it proceeds to use everything returned, which explains why
>>>>>>>> everyone is seeing an increase.
>>>>>>>>
>>>>>>>
>>>>>>> Thanks, David. That perfectly matches the list of servers used by
>>>>>>> older versions of the ios-ntp library[1][2], which would point toward
>>>>>>> some iPhone app being the source of the traffic.
>>>>>>>
>>>>>>> [1]
>>>>>>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0
>>>>>>> c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>>>>>>> [2]
>>>>>>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9d
>>>>>>> ec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>>>>>>
>>>>>>> That would make sense - I see a lot of iCloud related lookups from
>>>>>> these
>>>>>> hosts as well.
>>>>>>
>>>>>> Also, app.snapchat.com generally seems to follow just after the NTP
>>>>>> pool
>>>>>> DNS lookups. I don't have an iPhone to test that though.
>>>>>>
>>>>>
>>>>> Confirmed - starting up the iOS Snapchat app does a lookup to the
>>>>> domains
>>>>> you listed, and then sends NTP to every unique IP.  Around 35-60
>>>>> different
>>>>> IPs.
>>>>>
>>>>> Anyone have a contact at Snapchat?
>>>>>
>>>>
>>>
>>
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------



More information about the NANOG mailing list