[ntp:questions] NTP Pool Server Costs me $40/mo in Bandwidth--is

Jason Rabel jason at extremeoverclocking.com
Sun Jun 15 14:16:26 UTC 2014


> Yes, and remember we live in a world of NAT.  While there is much to be
> said for running "your" NTP servers that talk to outside NTP servers and
> having all of your other NTP clients talk to your NTP servers, some
> folks don't do this, and that means their clients can send a lot of
> queries to external servers and these requests will be coming from
> (different ports from) a single IP address (due to NAT).

Very true, but one would hope that the pool DNS servers would dish out different IPs to each of these NTP clients behind the NAT IP.
Also even if they do use the same servers, one would hope the poll interval is great enough and the requests are randomly spread out
far enough as to not trigger any abuse situation.

FWIW, on my pool server I do not have the 'limited' (or kod) command implemented in my restrict line. I realize that it would
restrict some legitimate traffic and would probably end up causing more issues than it would solve.

> Then again, there are also broken implementations out there that will
> badly misbehave.

> It would be useful to see if there was any way to identify what's going
> on with the culprit IPs.

Yes, every now and then I too, like the OP, will see huge spikes in my packets received/sent that occur at or very close to an
on-hour mark at particular times (like midnight or 4 am), my guess is a poor implementation in a router somewhere. I've never had
the time to track it down though because it occurs so infrequently and is still such a miniscule amount of my overall constant
bandwidth that it honestly doesn't matter (to me) in the big picture of things.

However, in this case the OP did track it down to some Puerto Rico IPs, which is kind of interesting. They both come from Cable
pools, so again my guess is probably someone has an old home router and needs to update their firmware. Trying to get the cable
company to contact their customer to do anything about it though would probably be a fruitless effort though.


On a related note, is there any way to determine if the requests are made by ntpdate vs ntpd? I realize ntpdate is depreciated but
it is still used (or a hacked down version) by a lot of routers, and many distros still include it too.

 



More information about the questions mailing list