South Carolina attempts to repeal Rule 34

[Jay Hennigan]

Break out the popcorn.

http://www.charlotteobserver.com/news/local/article121673402.html

--
--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Recent NTP pool traffic increase

[Laurent Dumont]

If anything comes from this, I'd love to hear about it. As a student in 
the field, this is the kind of stuff I live for! ;)


Pretty awesome to see the chain of events after seeing a post on the 
[pool] list!


Laurent

On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:

replying off list.


Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown  wrote:

Quoting David :

On 2016-12-19 1:55 PM, Jan Tore Morken wrote:

On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:

I found devices doing lookups for all of these at the same time

{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
and then it proceeds to use everything returned, which explains why
everyone is seeing an increase.


Thanks, David. That perfectly matches the list of servers used by
older versions of the ios-ntp library[1][2], which would point toward
some iPhone app being the source of the traffic.

[1]
https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
[2]
https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122


That would make sense - I see a lot of iCloud related lookups from these
hosts as well.

Also, app.snapchat.com generally seems to follow just after the NTP pool
DNS lookups. I don't have an iPhone to test that though.


Confirmed - starting up the iOS Snapchat app does a lookup to the domains
you listed, and then sends NTP to every unique IP.  Around 35-60 different
IPs.

Anyone have a contact at Snapchat?

Re: Google Global Cache Contact

[Martin Hannigan]

Jason,

In case you haven't already heard from the good people at Google:

   http://bit.ly/2hTJOhX

Best,

-M<


On Mon, Dec 19, 2016 at 4:15 PM, Jason Rokeach  wrote:
> Hi folks, could a contact for GGC contact me off-list?
>
> Thank you!
> - Jason R. Rokeach

Google Global Cache Contact

[Jason Rokeach]

Hi folks, could a contact for GGC contact me off-list?

Thank you!
- Jason R. Rokeach

Re: Recent NTP pool traffic increase

[Jan Tore Morken]

On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
> I found devices doing lookups for all of these at the same time
> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org
> and then it proceeds to use everything returned, which explains why
> everyone is seeing an increase.

Thanks, David. That perfectly matches the list of servers used by
older versions of the ios-ntp library[1][2], which would point toward
some iPhone app being the source of the traffic.

[1] 
https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
[2] 
https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122

-- 
Jan Tore Morken

Re: Recent NTP pool traffic increase

[Justin Paine via NANOG]

replying off list.


Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown  wrote:
> Quoting David :
>>
>> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>>
>>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:

 I found devices doing lookups for all of these at the same time

 {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
 and then it proceeds to use everything returned, which explains why
 everyone is seeing an increase.
>>>
>>>
>>> Thanks, David. That perfectly matches the list of servers used by
>>> older versions of the ios-ntp library[1][2], which would point toward
>>> some iPhone app being the source of the traffic.
>>>
>>> [1]
>>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>>> [2]
>>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>>
>>
>> That would make sense - I see a lot of iCloud related lookups from these
>> hosts as well.
>>
>> Also, app.snapchat.com generally seems to follow just after the NTP pool
>> DNS lookups. I don't have an iPhone to test that though.
>
>
> Confirmed - starting up the iOS Snapchat app does a lookup to the domains
> you listed, and then sends NTP to every unique IP.  Around 35-60 different
> IPs.
>
> Anyone have a contact at Snapchat?

Re: Recent NTP pool traffic increase

[Dan Drown]

Quoting David :

On 2016-12-19 1:55 PM, Jan Tore Morken wrote:

On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:

I found devices doing lookups for all of these at the same time
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
and then it proceeds to use everything returned, which explains why
everyone is seeing an increase.


Thanks, David. That perfectly matches the list of servers used by
older versions of the ios-ntp library[1][2], which would point toward
some iPhone app being the source of the traffic.

[1]  
https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
[2]  
https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122




That would make sense - I see a lot of iCloud related lookups from  
these hosts as well.


Also, app.snapchat.com generally seems to follow just after the NTP  
pool DNS lookups. I don't have an iPhone to test that though.


Confirmed - starting up the iOS Snapchat app does a lookup to the  
domains you listed, and then sends NTP to every unique IP.  Around  
35-60 different IPs.


Anyone have a contact at Snapchat?

Re: Recent NTP pool traffic increase

[Justin Paine via NANOG]

the new Mario app perhaps? :)


Justin Paine
Head of Trust & Safety
Cloudflare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D


On Mon, Dec 19, 2016 at 1:12 PM, David  wrote:
> On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
>>
>> On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
>>>
>>> I found devices doing lookups for all of these at the same time
>>>
>>> {0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org
>>> and then it proceeds to use everything returned, which explains why
>>> everyone is seeing an increase.
>>
>>
>> Thanks, David. That perfectly matches the list of servers used by
>> older versions of the ios-ntp library[1][2], which would point toward
>> some iPhone app being the source of the traffic.
>>
>> [1]
>> https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
>> [2]
>> https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122
>>
>
> That would make sense - I see a lot of iCloud related lookups from these
> hosts as well.
>
> Also, app.snapchat.com generally seems to follow just after the NTP pool DNS
> lookups. I don't have an iPhone to test that though.
>
> Thanks,
>

Re: Recent NTP pool traffic increase

[David]

On 2016-12-19 1:55 PM, Jan Tore Morken wrote:

On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:

I found devices doing lookups for all of these at the same time
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org
and then it proceeds to use everything returned, which explains why
everyone is seeing an increase.


Thanks, David. That perfectly matches the list of servers used by
older versions of the ios-ntp library[1][2], which would point toward
some iPhone app being the source of the traffic.

[1] 
https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
[2] 
https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122



That would make sense - I see a lot of iCloud related lookups from these 
hosts as well.


Also, app.snapchat.com generally seems to follow just after the NTP pool 
DNS lookups. I don't have an iPhone to test that though.


Thanks,

Re: Recent NTP pool traffic increase

[Ask Bjørn Hansen]

> On Dec 15, 2016, at 14:45, Jose Gerardo Perales Soto 
>  wrote:
> 
> We've recently experienced a traffic increase on the NTP queries to NTP pool 
> project (pool.ntp.org) servers. One theory is that some service provider NTP 
> infraestructure failed approximately 2 days ago and traffic is now being 
> redirected to servers belonging to the NTP pool project.

Hi Jose,

It’s more widespread than a particular service provider, so it seems more 
likely it’s a software update for some “IoT” device or similar.

The increase in DNS queries was on the “non-vendor” names, so it’s difficult to 
know who it is without being on a local network with one of the bad device 

The increase in DNS queries is much smaller than the increase in NTP queries 
that are being seen, so it’s not just more clients, but badly behaving ones. :-(

https://status.ntppool.org/incidents/vps6y4mm0m69

If you have NTP servers that can be added to the pool. it’d be greatly 
appreciated.

http://www.pool.ntp.org/join.html


Ask

Re: Recent NTP pool traffic increase

[Dan Drown]

Quoting David :
I found devices doing lookups for all of these at the same time  
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an  
increase.


I'm very interested to find out what devices these are.  This would  
explain why places like New Zealand are getting massive amounts of NTP  
traffic from North America.

Re: Recent NTP pool traffic increase

[Valdis . Kletnieks]

On Mon, 19 Dec 2016 12:52:59 -0700, David said:

>  From a source network point of view we see devices come online and hit
> ~35 unique NTP servers within a few seconds.

Am I the only one who read that and started wondering if some engineer writing
CPE code read a recommendation someplace to "query 3-5 different servers" and
managed to miss the "-"?



pgpLj_BNMzrsW.pgp
Description: PGP signature

Re: Recent NTP pool traffic increase (update)

[Denys Fedoryshchenko]

I'm not sure if this issue relevant to discussed topic, Tenda routers 
here for a while on market, and i think i noticed this issue just now,
because NTP servers they are using supposedly for healthcheck went down 
(or NTP owners blocked ISP's i support, due such routers).


At least after checking numerous users, i believe Tenda hardcoded those 
NTP IPs. What worsen issue, that in Lebanon several times per day, for 
example at 18pm - short electricity cutoff,
and majority of users routers will reboot and surely reconnect, so it 
will look like a countrywide spike in NTP traffic.


I checked for a 10min also this NTP ips in dns responses, none of 
thousands of users tried to resolve any name with them over any DNS 
server, so i conclude they are hardcoded somewhere in firmware.


Here is traffic of Tenda router after reconnecting (but not full 
powercycle, i dont have it in my hands). But as you can see, no DNS 
resolution attempts:


20:15:59.305739 PPPoE  [ses 0x1483] CHAP, Success (0x03), id 1, Msg 
S=XX M=Authentication succeeded
20:15:59.306100 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 1, 
length 12
20:15:59.317840 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 1, 
length 24
20:15:59.317841 PPPoE  [ses 0x1483] IPCP, Conf-Ack (0x02), id 1, length 
12
20:15:59.317867 PPPoE  [ses 0x1483] IPCP, Conf-Nack (0x03), id 1, length 
18
20:15:59.325253 PPPoE  [ses 0x1483] IPCP, Conf-Request (0x01), id 2, 
length 24
20:15:59.325273 PPPoE  [ses 0x1483] IPCP, Conf-Ack (0x02), id 2, length 
24
20:15:59.335589 PPPoE  [ses 0x1483] IP 172.17.49.245.123 > 
133.100.9.2.123: NTPv3, Client, length 48
20:15:59.335588 PPPoE  [ses 0x1483] IP 172.17.49.245.123 > 
192.5.41.41.123: NTPv3, Client, length 48
20:15:59.335588 PPPoE  [ses 0x1483] IP 172.17.49.245.123 > 
192.5.41.40.123: NTPv3, Client, length 48



Here is example of Tenda traffic if it is unable to reach destination, 
it repeats request each 10 seconds endlessly, my guess they are using 
ntp to show

status of internet connection.
So, now that NTP servers getting quite significant DDoS such way.

19:57:52.162863 IP (tos 0x0, ttl 64, id 38515, offset 0, flags [none], 
proto UDP (17), length 76)

172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length 48
	Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), 
precision 0

Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 0.0
  Receive Timestamp:0.0
  Transmit Timestamp:   3691177063.0 (2016/12/19 22:57:43)
Originator - Receive Timestamp:  0.0
	Originator - Transmit Timestamp: 3691177063.0 (2016/12/19 
22:57:43)
19:57:52.163277 IP (tos 0x0, ttl 64, id 38516, offset 0, flags [none], 
proto UDP (17), length 76)

172.16.31.67.123 > 192.5.41.41.123: [udp sum ok] NTPv3, length 48
	Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), 
precision 0

Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 0.0
  Receive Timestamp:0.0
  Transmit Timestamp:   3691177063.0 (2016/12/19 22:57:43)
Originator - Receive Timestamp:  0.0
	Originator - Transmit Timestamp: 3691177063.0 (2016/12/19 
22:57:43)
19:57:52.164435 IP (tos 0x0, ttl 64, id 38517, offset 0, flags [none], 
proto UDP (17), length 76)

172.16.31.67.123 > 133.100.9.2.123: [udp sum ok] NTPv3, length 48
	Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), 
precision 0

Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 0.0
  Receive Timestamp:0.0
  Transmit Timestamp:   3691177063.0 (2016/12/19 22:57:43)
Originator - Receive Timestamp:  0.0
	Originator - Transmit Timestamp: 3691177063.0 (2016/12/19 
22:57:43)
19:58:02.164781 IP (tos 0x0, ttl 64, id 38518, offset 0, flags [none], 
proto UDP (17), length 76)

172.16.31.67.123 > 192.5.41.40.123: [udp sum ok] NTPv3, length 48
	Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), 
precision 0

Root Delay: 0.00, Root dispersion: 0.00, Reference-ID: (unspec)
  Reference Timestamp:  0.0
  Originator Timestamp: 0.0
  Receive Timestamp:0.0
  Transmit Timestamp:   3691177073.0 (2016/12/19 22:57:53)
Originator - Receive Timestamp:  0.0
	Originator - Transmit Timestamp: 3691177073.0 (2016/12/19 
22:57:53)
19:58:02.164884 IP (tos 0x0, ttl 64, id 38519, offset 0, flags [none], 
proto UDP (17), length 76)

172.16.31.67.123 > 192.5.41.41.123: [udp sum ok] NTPv3, length 48
	Client, Leap indicator:  

Re: Recent NTP pool traffic increase

[David]

On 2016-12-19 12:52 PM, David wrote:

On 2016-12-19 11:29 AM, Laurent Dumont wrote:

I also have a similar experience with an increased load.

I'm running a pretty basic Linode VPS and I had to fine tune a few
things in order to deal with the increased traffic. I can clearly see a
date around the 14-15 where my traffic increases to 3-4 times the usual
amounts.


From a source network point of view we see devices come online and hit
~35 unique NTP servers within a few seconds.

I'll try to see if I can track down what type of devices they are.



I found devices doing lookups for all of these at the same time 
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org 
and then it proceeds to use everything returned, which explains why 
everyone is seeing an increase.

Re: Recent NTP pool traffic increase

[David]

On 2016-12-19 11:29 AM, Laurent Dumont wrote:

I also have a similar experience with an increased load.

I'm running a pretty basic Linode VPS and I had to fine tune a few
things in order to deal with the increased traffic. I can clearly see a
date around the 14-15 where my traffic increases to 3-4 times the usual
amounts.


From a source network point of view we see devices come online and hit 
~35 unique NTP servers within a few seconds.


I'll try to see if I can track down what type of devices they are.



I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs

http://i.imgur.com/mygYINk.png

Weird stuff

Laurent


On 12/17/2016 10:25 PM, Gary E. Miller wrote:

Yo All!

On Sat, 17 Dec 2016 17:54:55 -0800
"Gary E. Miller"  wrote:


# tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"

And I do indeed get odd results.  Some on my local network...

To follow up on my own post, so this can be promply laid to rest.

After some discussion at NTPsec.  It seems that chronyd takes a lot
of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
just 'odd', and not new.

So, nothing see here, back to the hunt for the real cause of the new
NTP traffic.

RGDS
GARY
---

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Re: Recent NTP pool traffic increase (update)

[Denys Fedoryshchenko]

Many sorry! Update, seems illiterate in english (worse than me, hehe) 
customer was not precise about model of router, while he reported issue.


I noticed now many customers using specific models of routers reported 
issues with internet connection.
Analyzing internet traffic, i noticed that this routers seems 
excessively requesting ntp from those ip addresses, and not trying 
others:


 > 192.5.41.40.123: NTPv3, Client, length 48
 > 192.5.41.41.123: NTPv3, Client, length 48
 > 133.100.9.2.123: NTPv3, Client, length 48

I'm asking customer to make photo of device, to retrieve model and 
revision, and checking other customers as well, if they are abusing same 
servers.
There is definitely pattern, that all of them are using just this 3 
hardcoded servers. Problem is that many customers are changing mac of 
router, so i cannot clearly

identify vendor by first mac nibbles.
He sent me 2 photos, one of them LB-Link (mac vendor lookup 20:f4:1b 
says Shenzhen Bilian electronic CO.,LTD), another is Tenda (c8:3a:35 is 
Tenda).

If it is necessary i can investigate further.


On 2016-12-19 20:33, Ca By wrote:
My WAG is that the one plus updated firmeware on that day and they 
baked in

the pool.

Complete WAG, but time and distributed sources including wireless 
networks



On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont 


wrote:


I also have a similar experience with an increased load.



I'm running a pretty basic Linode VPS and I had to fine tune a few

things in order to deal with the increased traffic. I can clearly see 
a


date around the 14-15 where my traffic increases to 3-4 times the 
usual


amounts.



I did a quick dump and in 60 seconds I was hit by slightly over 190K 
IPs




http://i.imgur.com/mygYINk.png



Weird stuff



Laurent





On 12/17/2016 10:25 PM, Gary E. Miller wrote:

> Yo All!

>

> On Sat, 17 Dec 2016 17:54:55 -0800

> "Gary E. Miller"  wrote:

>

>> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"

>>

>> And I do indeed get odd results.  Some on my local network...

> To follow up on my own post, so this can be promply laid to rest.

>

> After some discussion at NTPsec.  It seems that chronyd takes a lot

> of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,

> just 'odd', and not new.

>

> So, nothing see here, back to the hunt for the real cause of the new

> NTP traffic.

>

> RGDS

> GARY

>
---

> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703

>   g...@rellim.com  Tel:+1 541 382 8588

Re: Recent NTP pool traffic increase

[Denys Fedoryshchenko]

I noticed now many customers using tp-links reported issues with 
internet connection.
Analyzing internet traffic, i noticed that tp-link seems excessively 
requesting ntp from those ip addresses, and not trying others:


 > 192.5.41.40.123: NTPv3, Client, length 48
 > 192.5.41.41.123: NTPv3, Client, length 48
 > 133.100.9.2.123: NTPv3, Client, length 48

I'm asking customer to make photo of device, to retrieve model and 
revision, and checking other customers as well, if they are abusing same 
servers.


On 2016-12-19 20:33, Ca By wrote:
My WAG is that the one plus updated firmeware on that day and they 
baked in

the pool.

Complete WAG, but time and distributed sources including wireless 
networks



On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont 


wrote:


I also have a similar experience with an increased load.



I'm running a pretty basic Linode VPS and I had to fine tune a few

things in order to deal with the increased traffic. I can clearly see 
a


date around the 14-15 where my traffic increases to 3-4 times the 
usual


amounts.



I did a quick dump and in 60 seconds I was hit by slightly over 190K 
IPs




http://i.imgur.com/mygYINk.png



Weird stuff



Laurent





On 12/17/2016 10:25 PM, Gary E. Miller wrote:

> Yo All!

>

> On Sat, 17 Dec 2016 17:54:55 -0800

> "Gary E. Miller"  wrote:

>

>> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"

>>

>> And I do indeed get odd results.  Some on my local network...

> To follow up on my own post, so this can be promply laid to rest.

>

> After some discussion at NTPsec.  It seems that chronyd takes a lot

> of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,

> just 'odd', and not new.

>

> So, nothing see here, back to the hunt for the real cause of the new

> NTP traffic.

>

> RGDS

> GARY

>
---

> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703

>   g...@rellim.com  Tel:+1 541 382 8588

Re: Recent NTP pool traffic increase

[Ca By]

My WAG is that the one plus updated firmeware on that day and they baked in
the pool.

Complete WAG, but time and distributed sources including wireless networks


On Mon, Dec 19, 2016 at 10:30 AM Laurent Dumont 
wrote:

> I also have a similar experience with an increased load.
>
>
>
> I'm running a pretty basic Linode VPS and I had to fine tune a few
>
> things in order to deal with the increased traffic. I can clearly see a
>
> date around the 14-15 where my traffic increases to 3-4 times the usual
>
> amounts.
>
>
>
> I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs
>
>
>
> http://i.imgur.com/mygYINk.png
>
>
>
> Weird stuff
>
>
>
> Laurent
>
>
>
>
>
> On 12/17/2016 10:25 PM, Gary E. Miller wrote:
>
> > Yo All!
>
> >
>
> > On Sat, 17 Dec 2016 17:54:55 -0800
>
> > "Gary E. Miller"  wrote:
>
> >
>
> >> # tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"
>
> >>
>
> >> And I do indeed get odd results.  Some on my local network...
>
> > To follow up on my own post, so this can be promply laid to rest.
>
> >
>
> > After some discussion at NTPsec.  It seems that chronyd takes a lot
>
> > of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
>
> > just 'odd', and not new.
>
> >
>
> > So, nothing see here, back to the hunt for the real cause of the new
>
> > NTP traffic.
>
> >
>
> > RGDS
>
> > GARY
>
> >
> ---
>
> > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>
> >   g...@rellim.com  Tel:+1 541 382 8588
>
>
>
>

Re: Recent NTP pool traffic increase

[Laurent Dumont]

I also have a similar experience with an increased load.

I'm running a pretty basic Linode VPS and I had to fine tune a few 
things in order to deal with the increased traffic. I can clearly see a 
date around the 14-15 where my traffic increases to 3-4 times the usual 
amounts.


I did a quick dump and in 60 seconds I was hit by slightly over 190K IPs

http://i.imgur.com/mygYINk.png

Weird stuff

Laurent


On 12/17/2016 10:25 PM, Gary E. Miller wrote:

Yo All!

On Sat, 17 Dec 2016 17:54:55 -0800
"Gary E. Miller"  wrote:


# tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"

And I do indeed get odd results.  Some on my local network...

To follow up on my own post, so this can be promply laid to rest.

After some discussion at NTPsec.  It seems that chronyd takes a lot
of 'creative license' with RFC 5905 (NTPv4).  But it is not malicious,
just 'odd', and not new.

So, nothing see here, back to the hunt for the real cause of the new
NTP traffic.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Re: Not a representative of gmx.com but their emails are being blocked by those who subscribe to the SORBS RBL.

[David Hofstee]

Sorbs is a pretty good list. And I've been on the listed-side too. I personally 
would not use it to block, but I would give it 3 of the 5 points.

The anti-spam gang is never going to be perfect. But since (self)regulation is 
not working, we need them. I value them at the moment. The only thing you can 
do about it, is figuring a way to solve this security issue (called spam). 

Met vriendelijke groet,


David Hofstee

Deliverability Management
MailPlus B.V. Netherlands (ESP)

- Oorspronkelijk bericht -
Van: "Tom Beecher" 
Aan: "Ken O'Driscoll" , nanog@nanog.org
Verzonden: Zondag 18 december 2016 20:08:05
Onderwerp: Re: Not a representative of gmx.com but their emails are being 
blocked by those who subscribe to the SORBS RBL.

I tend to scratch my head at anyone still using SORBS at this point.


On Sun, Dec 18, 2016 at 8:27 AM Ken O'Driscoll 
wrote:

> On Sat, 2016-12-17 at 20:15 -0800, Large Hadron Collider wrote:
>
> > Does anyone have information on why this is, and if you represent SORBS
>
> > and/or GMX and/or both, would you please trouble yourself with
>
> > contacting me off-list?
>
>
>
> You can find out why an IP was listed via their lookup facility:
>
> http://www.
>
> sorbs.net/lookup.shtml
>
>
>
> You can request de-listing by opening a support request:
>
> http://www.sorbs.net/cgi-bin/support
>
>
>
> You don't need to be an IP block owner to request de-listing but you do
> need to be empowered to stop whatever caused the listing in the first
> place. Their support is very responsive.
>
>
>
> Ken.
>
>
>
> --
>
> Ken O'Driscoll / We Monitor Email
>
> t: +353 1 254 9400 | w: www.wemonitoremail.com
>
>
>
>