nanog mailing list archives

Re: Recent NTP pool traffic increase

From: Jad Boutros via NANOG <nanog () nanog org>
Date: Mon, 19 Dec 2016 21:27:15 -0800

We - at Snap - were forwarded this thread just a few hours ago and are
investigating. Please email me should you still be looking for a contact
for Snapchat.

Thank you,
Jad

On Mon, Dec 19, 2016 at 9:18 PM, Laurent Dumont <admin () coldnorthadmin com>
wrote:

If anything comes from this, I'd love to hear about it. As a student in
the field, this is the kind of stuff I live for! ;)

Pretty awesome to see the chain of events after seeing a post on the
[pool] list!

Laurent

On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:

replying off list.

____________
Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog () drown org> wrote:

Quoting David <opendak () shaw ca>:

On 2016-12-19 1:55 PM, Jan Tore Morken wrote:

On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:

I found devices doing lookups for all of these at the same time

{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.
pool.ntp.org
and then it proceeds to use everything returned, which explains why
everyone is seeing an increase.


Thanks, David. That perfectly matches the list of servers used by
older versions of the ios-ntp library[1][2], which would point toward
some iPhone app being the source of the traffic.

[1]
https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0
c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
[2]
https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9d
ec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122

That would make sense - I see a lot of iCloud related lookups from

these
hosts as well.

Also, app.snapchat.com generally seems to follow just after the NTP
pool
DNS lookups. I don't have an iPhone to test that though.


Confirmed - starting up the iOS Snapchat app does a lookup to the domains
you listed, and then sends NTP to every unique IP.  Around 35-60
different
IPs.

Anyone have a contact at Snapchat?

Current thread:

Re: Recent NTP pool traffic increase, (continued)
- - - Re: Recent NTP pool traffic increase David (Dec 19)
    - Re: Recent NTP pool traffic increase David (Dec 19)
    - Re: Recent NTP pool traffic increase Dan Drown (Dec 19)
    - Re: Recent NTP pool traffic increase Jan Tore Morken (Dec 19)
    - Re: Recent NTP pool traffic increase David (Dec 19)
    - Re: Recent NTP pool traffic increase Justin Paine via NANOG (Dec 19)
    - Re: Recent NTP pool traffic increase Dan Drown (Dec 19)
    - Re: Recent NTP pool traffic increase Justin Paine via NANOG (Dec 19)
    - Re: Recent NTP pool traffic increase Laurent Dumont (Dec 19)
    - Re: Recent NTP pool traffic increase Roland Dobbins (Dec 20)
    - Re: Recent NTP pool traffic increase Jad Boutros via NANOG (Dec 20)
    - Re: Recent NTP pool traffic increase Jad Boutros via NANOG (Dec 20)
    - Message not available
    - Re: Recent NTP pool traffic increase Jad Boutros via NANOG (Dec 20)
    - Re: Recent NTP pool traffic increase Peter Beckman (Dec 20)
    - Re: Recent NTP pool traffic increase Valdis . Kletnieks (Dec 20)
    - Re: Recent NTP pool traffic increase Gary E. Miller (Dec 20)
    - Re: Recent NTP pool traffic increase Tim Raphael (Dec 20)
    - RE: Recent NTP pool traffic increase Emille Blanc (Dec 20)
    - Re: Recent NTP pool traffic increase Tim Raphael (Dec 20)
    - Re: Recent NTP pool traffic increase Keenan Tims (Dec 20)
    - Re: Recent NTP pool traffic increase Laurent Dumont (Dec 20)

(Thread continues...)