Re: Recent NTP pool traffic increase

[David <opendak () shaw ca>]

On 2016-12-19 11:29 AM, Laurent Dumont wrote:
> I also have a similar experience with an increased load.
>
> I'm running a pretty basic Linode VPS and I had to fine tune a few
> things in order to deal with the increased traffic. I can clearly see a
> date around the 14-15 where my traffic increases to 3-4 times the usual
> amounts.

From a source network point of view we see devices come online and hit 
~35 unique NTP servers within a few seconds.

I'll try to see if I can track down what type of devices they are.

> I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs
>
> http://i.imgur.com/mygYINk.png
>
> Weird stuff
>
> Laurent
>
>
> On 12/17/2016 10:25 PM, Gary E. Miller wrote:
> > Yo All!
> >
> > On Sat, 17 Dec 2016 17:54:55 -0800
> > "Gary E. Miller" <gem () rellim com> wrote:
> >
> > > # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
> > >
> > > And I do indeed get odd results.  Some on my local network...
> > To follow up on my own post, so this can be promply laid to rest.
> >
> > After some discussion at NTPsec.  It seems that chronyd takes a lot
> > of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
> > just 'odd', and not new.
> >
> > So, nothing see here, back to the hunt for the real cause of the new
> > NTP traffic.
> >
> > RGDS
> > GARY
> > ---------------------------------------------------------------------------
> >
> > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
> >     gem () rellim com  Tel:+1 541 382 8588