[ntp:questions] Legitimate Source Ports for NTP traffic?

Jason Rabel jasonrabel99 at gmail.com
Fri Nov 30 16:32:37 UTC 2018

Thanks for the link to the paper, very interesting stuff! I've only
given it a quick read, when I have more time I'll definitely sit down
and study it more in-depth.

I noticed the data used was from May-June 2015, has there been any
newer sampling done? Or any other location for some statistics like an
updated graphs that shows the requests/day, or perhaps IPv6 traffic in
these past few years?

This paper answered a lot of questions I had. One thing you might want
to explore more next time are the 'abusive clients', while their
subset of physical IPs is small, calculating out their amount of
queries vs the total might raise an eyebrow. Also I've noticed
different 'groups' of abusive clients... Some will pound away at very
fast rates for a short amount of time (i.e. less than an hour) never
to be heard from again, some will do large bursts several times a day,
and others query excessively 24/7, even after blocking. I even noticed
a few that would INCREASE their request rate after being blocked...

Finally, another interesting observation would be to sample from a few
of the NTP Pool servers and see how that traffic varies (if any),
since various OSes & embedded products default to different NTP

More information about the questions mailing list