[Pool] ntp queries, icmp unreachable, traffic graph

Daniel Frank ntp at tokuko.de
Tue Feb 11 13:55:32 UTC 2014


Hello,

there are multiple possible reasons for the beheaviour you notice.
The icmp unreachable are probably by stupid NATs with a client behind 
them. Or badly configured firewalls that allow all outgoing traffic and 
then reject the incoming answer.

The spikes in your graph are probably caused by another sort of badly 
written clients:
Clients that update on a fixed time, e.g. on a full hour.

I also regularly see requests on ports 13 (daytime service) and on port 
37 (another old service).

Being in the pool easily let's you determine which networks and servers 
are well administrated (you won't even notice them unless you use 
tcpdump), scum (that sends you 20+ packets per second) and anything in 
between.
Unless it hurts, I just ignore the badly administrated systems. For all 
else I've got my firewall that blocks clients where sensible.

Regards,
Daniel


Am 2014-02-10 23:03, schrieb Thomas Pfaff:
> Hello, list.
> 
> My ntp server is in the pool and since it was added I've been looking
> more closely at the network traffic (out of curiosity) and there's a
> few things that has me confused that I was hoping you guys could help
> me understand.
> 
> Looking at a tcpdump on my external interface I see, obviously, a lot
> of ntp requests and responses.  Now, once in a while a response gets
> answered with an icmp port unreachable, transaction something like
> 
>    example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 
> 0 (DF)
>    ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0 prec
> -6 [tos 0x10]
>    example.com > ntp.tp76.info: icmp: example.com udp port 2690 
> unreachable
> 
> Why does it say "answer me on port 2690" and when I do I get "sorry,
> that port is unreachable"?  (read on; graph coming up)
> 
> My second question; why is the ntp traffic so spikey?  For an hour I
> get about 150 requests per minute and then suddenly I get about 7000
> requests per minute for a short time, and then it drops.
> 
> I graphed the output of tcpdump for incoming udp/123 and icmp port
> unreachable, hoping I could see a correlation between the spikes of
> ntp queries and icmp port unreachable, though it's not as clear as
> I had hoped.
> 
> Here's the graph -- http://tp76.info/rrd/ntp/still.png
> (see http://tp76.info/rrd/ntp/ for "live" graph).
> 
> Note that the icmp port unreachable graph is not associated purely
> with ntp queries, though my link is basically idle except for the
> ntp traffic so it's pretty safe to assume they're highly related.
> 
> Just to be clear; I'm not complaining.  I'd just very much like to
> understand what I'm seeing.
> 
> Thank you.
> 
> Cheers,
> Thomas.
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool


More information about the pool mailing list