Hello,
there are multiple possible reasons for the beheaviour you notice.
The icmp unreachable are probably by stupid NATs with a client behind
them. Or badly configured firewalls that allow all outgoing traffic and
then reject the incoming answer.
The spikes in your graph are probably caused by another sort of badly
written clients:
Clients that update on a fixed time, e.g. on a full hour.
I also regularly see requests on ports 13 (daytime service) and on port
37 (another old service).
Being in the pool easily let's you determine which networks and servers
are well administrated (you won't even notice them unless you use
tcpdump), scum (that sends you 20+ packets per second) and anything in
between.
Unless it hurts, I just ignore the badly administrated systems. For all
else I've got my firewall that blocks clients where sensible.
Regards,
Daniel
Am 2014-02-10 23:03, schrieb Thomas Pfaff:
Hello, list.
My ntp server is in the pool and since it was added I've been looking
more closely at the network traffic (out of curiosity) and there's a
few things that has me confused that I was hoping you guys could help
me understand.
Looking at a tcpdump on my external interface I see, obviously, a lot
of ntp requests and responses. Now, once in a while a response gets
answered with an icmp port unreachable, transaction something like
example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec
0 (DF)
ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0 prec
-6 [tos 0x10]
example.com > ntp.tp76.info: icmp: example.com udp port 2690
unreachable
Why does it say "answer me on port 2690" and when I do I get "sorry,
that port is unreachable"? (read on; graph coming up)
My second question; why is the ntp traffic so spikey? For an hour I
get about 150 requests per minute and then suddenly I get about 7000
requests per minute for a short time, and then it drops.
I graphed the output of tcpdump for incoming udp/123 and icmp port
unreachable, hoping I could see a correlation between the spikes of
ntp queries and icmp port unreachable, though it's not as clear as
I had hoped.
Here's the graph -- http://tp76.info/rrd/ntp/still.png
(see http://tp76.info/rrd/ntp/ for "live" graph).
Note that the icmp port unreachable graph is not associated purely
with ntp queries, though my link is basically idle except for the
ntp traffic so it's pretty safe to assume they're highly related.
Just to be clear; I'm not complaining. I'd just very much like to
understand what I'm seeing.
Thank you.
Cheers,
Thomas.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
