[Pool] ntp queries, icmp unreachable, traffic graph

Fabian Wenk fabian at wenks.ch
Tue Feb 11 16:43:31 UTC 2014

Hello Thomas

On 10.02.14 23:03, Thomas Pfaff wrote:
> Looking at a tcpdump on my external interface I see, obviously, a lot
> of ntp requests and responses.  Now, once in a while a response gets
> answered with an icmp port unreachable, transaction something like
>     example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 0 (DF)
>     ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0 prec -6 [tos 0x10]
>     example.com > ntp.tp76.info: icmp: example.com udp port 2690 unreachable
> Why does it say "answer me on port 2690" and when I do I get "sorry,
> that port is unreachable"?  (read on; graph coming up)

As others pointed out, the system doing the request (or if his IP 
address is spoofed), does block / reject upd traffic from port 
123 do any other port in. If it just happens seldom, just ignore it.

> My second question; why is the ntp traffic so spikey?  For an hour I
> get about 150 requests per minute and then suddenly I get about 7000
> requests per minute for a short time, and then it drops.

I do not know how you do measure the requests. For my graphs [1] 
I do measure the packets with the 'packets received' and 'packets 
sent' from the 'ntpdc -c sysstats -c iostats' output. But I guess 
they do correspond to requests.

   [1] http://www.home4u.ch/ntp/

If you look at my graphs, I have much higher peaks. But it does 
not affect the operation of the system itself, even if some of 
them are only single core Xeon with 3 GHz.
My servers are also in the TR zone, from which we know, that 
there are probably CPE from one large ISP, which are doing sntp 
on fixed times.


