[Pool] ntp queries, icmp unreachable, traffic graph

Thomas Pfaff tpfaff at tp76.info
Mon Feb 10 22:03:15 UTC 2014

Hello, list.

My ntp server is in the pool and since it was added I've been looking
more closely at the network traffic (out of curiosity) and there's a
few things that has me confused that I was hoping you guys could help
me understand.

Looking at a tcpdump on my external interface I see, obviously, a lot
of ntp requests and responses.  Now, once in a while a response gets
answered with an icmp port unreachable, transaction something like

   example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 0 (DF)
   ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0 prec -6 [tos 0x10]
   example.com > ntp.tp76.info: icmp: example.com udp port 2690 unreachable

Why does it say "answer me on port 2690" and when I do I get "sorry,
that port is unreachable"?  (read on; graph coming up)

My second question; why is the ntp traffic so spikey?  For an hour I
get about 150 requests per minute and then suddenly I get about 7000
requests per minute for a short time, and then it drops.

I graphed the output of tcpdump for incoming udp/123 and icmp port
unreachable, hoping I could see a correlation between the spikes of
ntp queries and icmp port unreachable, though it's not as clear as
I had hoped.

Here's the graph -- http://tp76.info/rrd/ntp/still.png
(see http://tp76.info/rrd/ntp/ for "live" graph).

Note that the icmp port unreachable graph is not associated purely
with ntp queries, though my link is basically idle except for the
ntp traffic so it's pretty safe to assume they're highly related.

Just to be clear; I'm not complaining.  I'd just very much like to
understand what I'm seeing.

Thank you.


