[Pool] ntp queries, icmp unreachable, traffic graph

lst_hoe02 at 79365-rhs.de lst_hoe02 at 79365-rhs.de
Tue Feb 11 14:03:08 UTC 2014


Zitat von Thomas Pfaff <tpfaff at tp76.info>:

> Hello, list.
>
> My ntp server is in the pool and since it was added I've been looking
> more closely at the network traffic (out of curiosity) and there's a
> few things that has me confused that I was hoping you guys could help
> me understand.
>
> Looking at a tcpdump on my external interface I see, obviously, a lot
> of ntp requests and responses.  Now, once in a while a response gets
> answered with an icmp port unreachable, transaction something like
>
>    example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 0 (DF)
>    ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0  
> prec -6 [tos 0x10]
>    example.com > ntp.tp76.info: icmp: example.com udp port 2690 unreachable
>
> Why does it say "answer me on port 2690" and when I do I get "sorry,
> that port is unreachable"?  (read on; graph coming up)

This are either forged sender addresses or a client sitting behind  
some firewall or NAT which don't let the answer pass back and rejects  
it. We have this too in our traffic.

> My second question; why is the ntp traffic so spikey?  For an hour I
> get about 150 requests per minute and then suddenly I get about 7000
> requests per minute for a short time, and then it drops.

Most of the time it is because some devices prefer some fixed time of  
day to sync with the pool instead of using a random starttime or  
interval. So these clients all rush in at nearly the same time. But  
7000 request per minute isn't something to worry about, no? We once  
had an offender with ~800 packets per second, it only stopped after  
1,2GB Traffic even though we dropped all packets from this IP. The  
ntpd doesn't really care anyway, it hummed along with around 5% CPU  
usage on a really slow machine even with that packet rate.

Regards

Andreas







More information about the pool mailing list