[Pool] ntp queries, icmp unreachable, traffic graph
fabian at wenks.ch
Tue Feb 11 16:43:31 UTC 2014
On 10.02.14 23:03, Thomas Pfaff wrote:
> Looking at a tcpdump on my external interface I see, obviously, a lot
> of ntp requests and responses. Now, once in a while a response gets
> answered with an icmp port unreachable, transaction something like
> example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 0 (DF)
> ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0 prec -6 [tos 0x10]
> example.com > ntp.tp76.info: icmp: example.com udp port 2690 unreachable
> Why does it say "answer me on port 2690" and when I do I get "sorry,
> that port is unreachable"? (read on; graph coming up)
As others pointed out, the system doing the request (or if his IP
address is spoofed), does block / reject upd traffic from port
123 do any other port in. If it just happens seldom, just ignore it.
> My second question; why is the ntp traffic so spikey? For an hour I
> get about 150 requests per minute and then suddenly I get about 7000
> requests per minute for a short time, and then it drops.
I do not know how you do measure the requests. For my graphs 
I do measure the packets with the 'packets received' and 'packets
sent' from the 'ntpdc -c sysstats -c iostats' output. But I guess
they do correspond to requests.
If you look at my graphs, I have much higher peaks. But it does
not affect the operation of the system itself, even if some of
them are only single core Xeon with 3 GHz.
My servers are also in the TR zone, from which we know, that
there are probably CPE from one large ISP, which are doing sntp
on fixed times.
More information about the pool