[193094] in North American Network Operators' Group
Re: Recent NTP pool traffic increase
daemon@ATHENA.MIT.EDU (David)
Mon Dec 19 18:31:27 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: David <opendak@shaw.ca>
Date: Mon, 19 Dec 2016 12:52:59 -0700
In-Reply-To: <88a02ab4-7d66-f0d0-2a7e-9606dda501be@coldnorthadmin.com>
Errors-To: nanog-bounces@nanog.org
On 2016-12-19 11:29 AM, Laurent Dumont wrote:
> I also have a similar experience with an increased load.
>
> I'm running a pretty basic Linode VPS and I had to fine tune a few
> things in order to deal with the increased traffic. I can clearly see a
> date around the 14-15 where my traffic increases to 3-4 times the usual
> amounts.
From a source network point of view we see devices come online and hit
~35 unique NTP servers within a few seconds.
I'll try to see if I can track down what type of devices they are.
>
> I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs
>
> http://i.imgur.com/mygYINk.png
>
> Weird stuff
>
> Laurent
>
>
> On 12/17/2016 10:25 PM, Gary E. Miller wrote:
>> Yo All!
>>
>> On Sat, 17 Dec 2016 17:54:55 -0800
>> "Gary E. Miller" <gem@rellim.com> wrote:
>>
>>> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
>>>
>>> And I do indeed get odd results. Some on my local network...
>> To follow up on my own post, so this can be promply laid to rest.
>>
>> After some discussion at NTPsec. It seems that chronyd takes a lot
>> of 'creative license' with RFC 5905 (NTPv4). But it is not malicious,
>> just 'odd', and not new.
>>
>> So, nothing see here, back to the hunt for the real cause of the new
>> NTP traffic.
>>
>> RGDS
>> GARY
>> ---------------------------------------------------------------------------
>>
>> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>> gem@rellim.com Tel:+1 541 382 8588
>
