nanog mailing list archives
Re: Recent NTP pool traffic increase (update)
From: Denys Fedoryshchenko <denys () visp net lb>
Date: Mon, 19 Dec 2016 21:22:11 +0200
Many sorry! Update, seems illiterate in english (worse than me, hehe) customer was not precise about model of router, while he reported issue.
I noticed now many customers using specific models of routers reported issues with internet connection. Analyzing internet traffic, i noticed that this routers seems excessively requesting ntp from those ip addresses, and not trying others:
> 192.5.41.40.123: NTPv3, Client, length 48 > 192.5.41.41.123: NTPv3, Client, length 48 > 133.100.9.2.123: NTPv3, Client, length 48I'm asking customer to make photo of device, to retrieve model and revision, and checking other customers as well, if they are abusing same servers. There is definitely pattern, that all of them are using just this 3 hardcoded servers. Problem is that many customers are changing mac of router, so i cannot clearly
identify vendor by first mac nibbles.He sent me 2 photos, one of them LB-Link (mac vendor lookup 20:f4:1b says Shenzhen Bilian electronic CO.,LTD), another is Tenda (c8:3a:35 is Tenda).
If it is necessary i can investigate further. On 2016-12-19 20:33, Ca By wrote:
My WAG is that the one plus updated firmeware on that day and they baked inthe pool.Complete WAG, but time and distributed sources including wireless networksOn Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont <admin () coldnorthadmin com>wrote:I also have a similar experience with an increased load. I'm running a pretty basic Linode VPS and I had to fine tune a fewthings in order to deal with the increased traffic. I can clearly see adate around the 14-15 where my traffic increases to 3-4 times the usualamounts.I did a quick dump and in 60 seconds I was hit by slightly over 190K IPshttp://i.imgur.com/mygYINk.png Weird stuff Laurent On 12/17/2016 10:25 PM, Gary E. Miller wrote: > Yo All! > > On Sat, 17 Dec 2016 17:54:55 -0800 > "Gary E. Miller" <gem () rellim com> wrote: > >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:" >> >> And I do indeed get odd results. Some on my local network... > To follow up on my own post, so this can be promply laid to rest. > > After some discussion at NTPsec. It seems that chronyd takes a lot > of 'creative license' with RFC 5905 (NTPv4). But it is not malicious, > just 'odd', and not new. > > So, nothing see here, back to the hunt for the real cause of the new > NTP traffic. > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 > gem () rellim com Tel:+1 541 382 8588
Current thread:
- Re: Recent NTP pool traffic increase, (continued)
- Re: Recent NTP pool traffic increase Allan Liska (Dec 16)
- Re: Recent NTP pool traffic increase Roland Dobbins (Dec 16)
- Re: Recent NTP pool traffic increase Roland Dobbins (Dec 16)
- Re: Recent NTP pool traffic increase Andreas Ott (Dec 17)
- Re: Recent NTP pool traffic increase Roland Dobbins (Dec 16)
- Re: Recent NTP pool traffic increase Allan Liska (Dec 16)
- Re: Recent NTP pool traffic increase Ask Bjørn Hansen (Dec 19)
- Re: Recent NTP pool traffic increase Gary E. Miller (Dec 17)
- Re: Recent NTP pool traffic increase Gary E. Miller (Dec 17)
- Re: Recent NTP pool traffic increase Laurent Dumont (Dec 19)
- Re: Recent NTP pool traffic increase Ca By (Dec 19)
- Re: Recent NTP pool traffic increase Denys Fedoryshchenko (Dec 19)
- Re: Recent NTP pool traffic increase (update) Denys Fedoryshchenko (Dec 19)
- Message not available
- Re: Recent NTP pool traffic increase (update) Denys Fedoryshchenko (Dec 19)
- Message not available
- Re: Recent NTP pool traffic increase (update) Denys Fedoryshchenko (Dec 21)
- Re: Recent NTP pool traffic increase (update) FUJIMURA Sho (Dec 22)
- Re: Recent NTP pool traffic increase (update) Ask Bjørn Hansen (Dec 22)
- Re: Recent NTP pool traffic increase (update) FUJIMURA Sho (Dec 24)
- Re: Recent NTP pool traffic increase (update) Harlan Stenn (Dec 25)
- Re: Recent NTP pool traffic increase Gary E. Miller (Dec 17)
- Re: Recent NTP pool traffic increase (update) FUJIMURA Sho (Dec 21)
- Re: Recent NTP pool traffic increase David (Dec 19)
- Re: Recent NTP pool traffic increase David (Dec 19)
- Re: Recent NTP pool traffic increase Dan Drown (Dec 19)