Re: Recent NTP pool traffic increase

[Royce Williams <royce () techsolvency com>]

On Mon, Dec 19, 2016 at 12:49 PM, Dan Drown <dan-nanog () drown org> wrote:
> Quoting David <opendak () shaw ca>:
> > On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
> > > On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
> > > > I found devices doing lookups for all of these at the same time
> > > >
> > > > {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
> > > > and then it proceeds to use everything returned, which explains why
> > > > everyone is seeing an increase.
> > >
> > >
> > > Thanks, David. That perfectly matches the list of servers used by
> > > older versions of the ios-ntp library[1][2], which would point toward
> > > some iPhone app being the source of the traffic.
> > >
> > > [1]
> > > https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
> > > [2]
> > > https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
> >
> > That would make sense - I see a lot of iCloud related lookups from these
> > hosts as well.
> >
> > Also, app.snapchat.com generally seems to follow just after the NTP pool
> > DNS lookups. I don't have an iPhone to test that though.
>
>
> Confirmed - starting up the iOS Snapchat app does a lookup to the domains
> you listed, and then sends NTP to every unique IP.  Around 35-60 different
> IPs.
>
> Anyone have a contact at Snapchat?

Looks like folks got in touch with them. Thanks!

https://community.ntppool.org/t/recent-ntp-pool-traffic-increase/18

Royce