[ntp:questions] Monitoring Number of Clients

Charles Elliott elliott.ch at comcast.net
Tue Feb 14 14:14:17 UTC 2017


Hello,

 

      There are three sets of facts you may want to consider.  First, in
reports of how security consultants handle denial-of-service defense
engagements, the consultants seem to develop ad hoc solutions to determining
where the flood of packets are coming from.[1]  Second, in one study of
Internet time server usage[2, Fig, 2], it was found that one server received
requests with these frequencies:

 

DayTime and Time requests (TCP) ~10*2.2 to ~10*2.4 per second (sec).

 

NTP requests (UDP, port 123) ~10^3 per sec with bursts of 10^3.2 to 10^3.4
per sec every 5 minutes.

 

NTP packet requests (UDP, other ports) between ~10^3.2 and ~10^3.5 per sec
(depending on the hour of the day) with bursts up to ~10^4 per sec every
minute.

 

In total this server experienced a steady stream of about 30,000 requests
for time per second (rps), with peaks to 90,000 rps every hour, and smaller
peaks to 40,000 rps every half hour.  Another server in this group had a
steady stream of about 5,000 rps, with peaks to ~40,000 rps every half hour.
Both these servers had very heavy peaks of requests at midnight.

 

 

Third, in my reading of the source code for the Network Time Protocol Daemon
(NTPD), the program is optimized to handle a high number of requests per
second, not to record who is making the requests.

 

 

My conclusions from these facts and observations are:

 

1. Determining who is using an NTP time server is, almost by definition, a
Big Data problem, and may require a Big Data solution, but do search with
Bing and/or Google first.

 

2. If you want a high quality solution to finding out who is using an NTP
timer server, you may have to provide it yourself.  You can download the
source code from www.ntp.org and modify it to serve your needs.

 

3. The book [3] has examples in it of applying open-source big data software
to big data problems.  I could not make these examples run under Windows,
but the book's author assured me that they ran well under Linux.  In any
case, the examples did not use Spark, which apparently is much easier to use
and faster than Hadoop.

 

Charles Elliott

 

References:

[1]  Menn, Joseph. (2010). Fatal System Error: The Hunt for the New Crime
Lords Who Are Bringing Down the Internet. New York, NY: PublicAffairs.

 

[2]  Sherman, Jeff A., & Levine, Judah. (2016). Usage Analysis of the NIST
Internet Time Service. Journal of Research of the National Institute of
Standards and Technology (JRES). doi: http://dx.doi.org/10.6028/jres.121.003
(nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf)

 

[3] Marz, Nathan, & Warren, James. (2015). Big Data: Principles and Best
Practices of Scalable Real-Time Data Systems. Shelter Island, NY: Manning
Publications.

 

 

 

-----Original Message-----
From: questions
[mailto:questions-bounces+elliott.ch=comcast.net at lists.ntp.org] On Behalf Of
Johannes Weber
Sent: Monday, February 6, 2017 3:11 PM
To: questions at lists.ntp.org
Subject: [ntp:questions] Monitoring Number of Clients

 

Hello NTP list,

 

I have one question concerning the monstats and mrulist commands. I am
monitoring my NTP servers and I want to graph the current clients. I am
using the "addresses" line from the monstats output.

However, it seems that every client that is gone many days ago (!) is still
listed within the "addresses" section and not only in the "peak addresses".
Same is true within the mrulist output which lists addresses that have a
lstint many days ago.

 

So my question is: How can I get a number of the "most recent" clients,
i.e., clients that have a lstint < 2000 or the like. (One bad approach might
be to use the mrulist output and to grep all lines that have an lstint <
2000. But I am searching for a better way to do it.)

 

Thanks in advance!

 

Johannes

 

--

Johannes Weber

Webernetz.net - Network Security Consulting

mail:     <mailto:johannes at webernetz.net> johannes at webernetz.net

mobile:  +49 174 1880211

 

blog:     <https://blog.webernetz.net> https://blog.webernetz.net

twitter: @webernetz [1] 

 

Links:

------

[1]  <https://twitter.com/webernetz> https://twitter.com/webernetz

_______________________________________________

questions mailing list

 <mailto:questions at lists.ntp.org> questions at lists.ntp.org

 <http://lists.ntp.org/listinfo/questions>
http://lists.ntp.org/listinfo/questions



More information about the questions mailing list