[time] Traffic figures to servers removed from the pool
Mon May 17 20:21:46 UTC 2010
I removed two time servers from the pool on January 8, 2009. At that
time they had both been in the pool for a several years, can't really
remember the exact number. Now that it's been about 16 months since the
servers were removed from the pool and public time service on one of
those has finally been disabled a few days ago, I'd like to share some
easily gathered numbers from the last days. I haven't saved any historic
datapoints since the servers were removed from the pool, so no pretty
graphs, just a few current numbers.
Host A: At the time of disabling time service, the ntpdc -c monlist
listed the oldest client at 24,9 days. Which means that 600 different
hosts had asked for the time within the last 25 days. There were 351
hosts that queried the server within the last 24 hours and 314 within
the last hour. So after 16 months of not being in the pool, there were
still more than 300 faithful clients that regularly asked what the time
was. Currently about 150 NTP packets are received per minute at that
host, ICMP port unreachable is sent as a reply.
Host B: At the moment host B is still serving time to anyone who asks
and the oldest entry on ntpdc -c monlist is 40,8 days old. 231 clients
had asked for the time within 24 hours and 214 within the last hour.
About 60 NTP packets are received per minute at this host.
The results are pretty much what I expected. Most of the clients go away
pretty quickly, but apparently there are some hosts that have very long
(ntpd) uptimes and some clients probably have hardcoded IP addresses in
their configurations. I'm suspecting hardcoding also because quite many
of the IP addresses on the monlist come from the same network/domain.
I.e. a local admin has rolled up a configuration package that has
hardcoded IP addresses in it and distributed it to a bunch of machines
in the company. Or deployed an (S)NTP software package that ships with
hardcoded IP addresses of time servers.
I'm also not surprised that many clients react to ICMP port unreachable
replies by immediately sending one or more retry packets, as can be seen
when looking at the traffic on a packet sniffer. Luckily apparently no
client that was using host A uses an algorithm where every received ICMP
port unreachable message triggers an immediate re-request.
So in summary, if you remove a server from the pool, you'll probably
never get totally rid of incoming NTP traffic. This should surprise
nobody. I certainly didn't expect the traffic to go away completely, but
it goes down to being pretty insignificant volume-vise eventually.
More information about the pool