Re: Recent NTP pool traffic increase

[Dan Drown]

Quoting David :

On 2016-12-19 1:55 PM, Jan Tore Morken wrote:

On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:

I found devices doing lookups for all of these at the same time
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org
and then it proceeds to use everything returned, which explains why
everyone is seeing an increase.


Thanks, David. That perfectly matches the list of servers used by
older versions of the ios-ntp library[1][2], which would point toward
some iPhone app being the source of the traffic.

[1]  
https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0564/ios-ntp-rez/ntp.hosts
[2]  
https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff9f2/ios-ntp-lib/NetworkClock.m#L122




That would make sense - I see a lot of iCloud related lookups from  
these hosts as well.


Also, app.snapchat.com generally seems to follow just after the NTP  
pool DNS lookups. I don't have an iPhone to test that though.


Confirmed - starting up the iOS Snapchat app does a lookup to the  
domains you listed, and then sends NTP to every unique IP.  Around  
35-60 different IPs.


Anyone have a contact at Snapchat?

Re: Recent NTP pool traffic increase

[Dan Drown]

Quoting David :
I found devices doing lookups for all of these at the same time  
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa,europe}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an  
increase.


I'm very interested to find out what devices these are.  This would  
explain why places like New Zealand are getting massive amounts of NTP  
traffic from North America.

Re: Recent NTP pool traffic increase

[Dan Drown]

Quoting Roland Dobbins :
Do you have flow telemetry, which provides a lot more information  
than basic pps/bps stats?


Sources are pretty widely spread out among cell networks/home  
internet, seem to be mostly US based.  I'm not seeing a large amount  
of traffic per single IP or single subnet.  This seems more like  
"someone pushed out bad firmware" rather than something malicious.


Are you seeing normal timesync queries, or lots of level-6/level-7  
admin command attempts?


SNTP Client timesync queries make up 91.3% of the traffic to my server.

The following NTP settings being most the popular (47% of all traffic  
to my server):


stratum=0, poll=4, precision=-6, root delay=1, root dispersion=1,  
reference timestamp=0, originator timestamp=0,

receive timestamp=0

Re: Recent NTP pool traffic increase

[Dan Drown]

Quoting Jose Gerardo Perales Soto :
We've recently experienced a traffic increase on the NTP queries to  
NTP pool project (pool.ntp.org) servers. One theory is that some  
service provider NTP infraestructure failed approximately 2 days ago  
and traffic is now being redirected to servers belonging to the NTP  
pool project.


Does anyone from the service provider community have any comments?


To add some more numbers to this, I'm seeing 4x the usual NTP traffic  
to my server in pool.ntp.org, starting Dec 13.


Top source ASNs by % of NTP traffic seen by my server (I don't have  
pre-Dec 13 traffic by ASN handy)


sprint 4.0%
verizon-wireless 3.4%
tmobile 2.9%
att-wireless 2.8%
comcast 2.1%
orange 1.8%
sky 1.6%
twc 1.0%
att 1.0%
swisscom 0.9%
saudinet 0.8%
virgin 0.6%
opaltelecom 0.5%
qwest 0.5%
eli 0.2%
verizon 0.2%

Possibly related is the new iOS release.  Does the new iOS generate  
more NTP traffic?  Can anyone measure that?

Re: ATT U-Verse Data Setup Convention

[Dan Drown]

I have ATT u-verse small business connection at my office with a  
static IP setup, and my experience matches with the ATT tech said.   
We have a separate router behind the ATT router.  The ATT router is  
an Arris (former Motorola) NVG595.  Our router has a static IP out of  
our subnet and does NAT for the office network.


As far as I can tell, the u-verse supplied router cannot be replaced  
with something less sucky.  The problem is getting the 802.1x  
certificate needed to authenticate on the wan port.


I dislike ATT's hardware as it has more limitations than just this,  
but some of those limitations can be worked around with an additional  
router downstream of it.


Quoting Keith Stokes kei...@neilltech.com:
I’m wondering if some can share their experiences or maybe there’s  
an ATT person here who can confirm policy.


I work for SaaS provider who requires a source IP to access our  
system to businesses.


Normally we tell the customer to request a “Static IP” from their  
provider. That term makes sense to most ISPs.


However, we’ve recently worked with an ATT higher-up tech who told  
us that every U-Verse modem is locked to an address even when set to  
DHCP and will not change unless the unit is changed. Ordering a  
“Static IP” from them means your devices will individually get  
public addresses, which isn’t a requirement for us, isn’t quite as  
easy to add multiple devices and costs our customers more money.


Here are my questions:

1. Is it really accurate that the customer’s address is tied to the  
modem/router?


2. For my curiosity, is this done through a DHCP reservation or is  
there a hard coded entry somewhere?


3. Do all U-Verse modem/routers behave the same way? This particular  
unit was a Motorola but the friends I’ve seen with U-Verse use a  
Cisco unit.


---

Keith Stokes

Re: Recommendation on NTP appliances/devices

[Dan Drown]

Quoting Julien Goodwin na...@studio442.com.au:

Show my anything short of a classic SONET transmission system (or
perhaps sync-E) where you actually have something with jitter that  
low [tens of microseconds].


Since you asked, here you go: http://i.imgur.com/DvMJd5y.png

Two EndRun Unison GPS NTP servers, one in New York metro and one in  
London metro.  They're connected via 10G over dark fiber (along with a  
bunch of networking gear doing more than just measuring time).   
Measurements taken from ntp running on the New York server, the blue  
line is the offset between the two clocks (in ms, left labels) and the  
pink line is the rtt (in ms, right labels).


90th percentile of the offsets is 34 microseconds, and 10th percentile  
is 5 microseconds.


You can see a spike in one-way latency near sample 590.  Most likely  
culprit is of one of the firewalls being busy (there's two in this  
path).

Re: Verizon IPv6 LTE

[Dan Drown]

Quoting Randy Carpenter rcar...@network1.net:

Safari is definitely preferring IPv4.

In a happier note, if you tether a device via hotspot on an IOS6 iPad, the
clients get native IPv6. Strangely, they get addresses out of the  
same /64 as the iPad's LTE interface. Anyone know how that is  
working? I would have thought they would use prefix-delegation, and  
there would be a separate routed /64.


I assume they're doing the same thing I am.  The cell network  
interface is just a p2p interface, and the whole /64 is routed to the  
phone/tablet.  You can configure the p2p interface address as a /128  
and configure the /64 on the wifi interface.  My understanding of the  
3gpp specs is that the cell provider won't have an address in that  
/64, so you won't conflict with anything upstream of the phone/tablet.


Here's a screenshot of my (wifi-only) tablet getting v6 while tethered  
through my phone:

http://dan.drown.org/android/clat/IMG_20120425_105124.jpg