[193093] in North American Network Operators' Group
Re: Recent NTP pool traffic increase
daemon@ATHENA.MIT.EDU (Justin Paine via NANOG)
Mon Dec 19 17:13:32 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20161219154911.Horde.3gd3oeF2oc4iYUIoPf37uAH@mail.drown.org>
Date: Mon, 19 Dec 2016 14:12:49 -0800
To: Dan Drown <dan-nanog@drown.org>
From: Justin Paine via NANOG <nanog@nanog.org>
Reply-To: Justin Paine <justin@cloudflare.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
replying off list.
____________
Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog@drown.org> wrote:
> Quoting David <opendak@shaw.ca>:
>>
>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>
>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>>
>>>> I found devices doing lookups for all of these at the same time
>>>>
>>>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
>>>> and then it proceeds to use everything returned, which explains why
>>>> everyone is seeing an increase.
>>>
>>>
>>> Thanks, David. That perfectly matches the list of servers used by
>>> older versions of the ios-ntp library[1][2], which would point toward
>>> some iPhone app being the source of the traffic.
>>>
>>> [1]
>>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>>> [2]
>>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>>
>>
>> That would make sense - I see a lot of iCloud related lookups from these
>> hosts as well.
>>
>> Also, app.snapchat.com generally seems to follow just after the NTP pool
>> DNS lookups. I don't have an iPhone to test that though.
>
>
> Confirmed - starting up the iOS Snapchat app does a lookup to the domains
> you listed, and then sends NTP to every unique IP. Around 35-60 different
> IPs.
>
> Anyone have a contact at Snapchat?
