That would be something pretty straightforward to quantify using iptables and some kind of time series data platform, ELK, etc. The trick is what to look for to identify the rusty pile of needles in a very large haystack.
Are you aware of any attributes in the requests that would differentiate them in a predictable way? All I've been able to find is things like "my QNAP NAS uses source port 1001". Dan Dan Geist dan(@)polter.net ----- Original Message ----- > From: "Brad Knowles" <[email protected]> > To: "Jan-Philipp Benecke" <[email protected]> > Cc: "pool" <[email protected]> > Sent: Tuesday, January 3, 2017 2:33:20 PM > Subject: Re: [Pool] Adding Stratum 2 servers in *some* underrepresented zones > On Jan 3, 2017, at 7:54 AM, Jan-Philipp Benecke <[email protected]> > wrote: > >> I wonder if it's specific to the AU zone or if it's more widespread? >> My server in the AU zone has also a peaks every few hours. > > So, here’s an interesting question — Has anyone spotted any specific > applications that might be making particularly frequent use of NTP servers? > > Like, maybe WhatsApp, or other “secure” encrypted chat programs? Or, perhaps > SnapChat? > > Has anyone fired up a packet sniffer and watched the traffic from various > client > machines to known NTP servers? > > > I’m starting to wonder if maybe there’s another entry that may need to be made > on the page at <https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse>. > > -- > Brad Knowles <[email protected]> > > > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
