Connection peaks - NTP

This is a discussion on Connection peaks - NTP ; I have some strange peaks in the number of connections to my machine. It's usually about a couple of hundred of connections, but a copule of times a day I get a few thousands of connections instead. The traffic seems ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Connection peaks

  1. Connection peaks

    I have some strange peaks in the number of connections to my machine.
    It's usually about a couple of hundred of connections, but a copule of
    times a day I get a few thousands of connections instead. The traffic
    seems to be directed to my NTP server. The ammount of traffic on the
    NTP port is only about 100kbit/s, but there are very many connections.
    I can have 10000 connections at the same time, which is kind of much.
    My machine didn't take it very yesterday and the round trip times
    rised to about 500ms so the time went a bit out of sync. Why are there
    so strong peaks in the number of connections? I'm in the SE pool, my
    server is on 80.252.175.45.


  2. Re: Connection peaks


    "independence" writes:
    > Why are there so strong peaks in the number of connections? I'm in
    > the SE pool, my server is on 80.252.175.45.


    Maybe a large number of clients are all running sntp and they all
    decide to poll at nice round-numbered times? (eg. they might all poll
    on the hour and every 10 minutes after that.) This would lead to very
    cyclic loading.

    -wolfgang

  3. Re: Connection peaks

    independence,

    You are apparently victim of a terrorist flooding attack. See
    http://www.eecis.udel.edu/~mills/dat...ti/ptti04a.pdf.

    You might try enabling the kiss-o'-death (KoD) packet, but the terrorist
    probably will not respond. To find out who the varmits are, use the
    ntpdc monlist command. However, the apparent source of the flood is
    probably not the terrorist itself, more likely a distributed denial of
    service attack. It would be useful if you could send us the ntpd monlist
    results.

    There are three schools of thought on this issue: 1) Behave as if
    nothing is wrong. The terrorist will lose interest. 2) Toss a KoD,
    presumably to tell the terrorist was detected and the FBI will swoop on
    the sender. 3) toss intentionally distorted time, presuably to tell the
    terrorist was detected and actively defended. The problem with 3) is
    that it might be hard to differentiate between the misguideds and
    outright terrorists.

    Dave

    independence wrote:
    > I have some strange peaks in the number of connections to my machine.
    > It's usually about a couple of hundred of connections, but a copule of
    > times a day I get a few thousands of connections instead. The traffic
    > seems to be directed to my NTP server. The ammount of traffic on the
    > NTP port is only about 100kbit/s, but there are very many connections.
    > I can have 10000 connections at the same time, which is kind of much.
    > My machine didn't take it very yesterday and the round trip times
    > rised to about 500ms so the time went a bit out of sync. Why are there
    > so strong peaks in the number of connections? I'm in the SE pool, my
    > server is on 80.252.175.45.
    >


  4. Re: Connection peaks

    On Feb 24, 7:06 pm, "David L. Mills" wrote:
    > independence,
    >
    > You are apparently victim of a terrorist flooding attack. Seehttp://www.eecis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf.
    >
    > You might try enabling the kiss-o'-death (KoD) packet, but the terrorist
    > probably will not respond. To find out who the varmits are, use the
    > ntpdc monlist command. However, the apparent source of the flood is
    > probably not the terrorist itself, more likely a distributed denial of
    > service attack. It would be useful if you could send us the ntpd monlist
    > results.
    >
    > There are three schools of thought on this issue: 1) Behave as if
    > nothing is wrong. The terrorist will lose interest. 2) Toss a KoD,
    > presumably to tell the terrorist was detected and the FBI will swoop on
    > the sender. 3) toss intentionally distorted time, presuably to tell the
    > terrorist was detected and actively defended. The problem with 3) is
    > that it might be hard to differentiate between the misguideds and
    > outright terrorists.
    >
    > Dave


    First of all, I'm a bit concerned with your use of the word
    "terrorist". Here is a definition: One who utilizes the systematic use
    of violence and intimidation to achieve political objectives, while
    disguised as a civilian non-combatant.
    Someone who uses DoS or DDoS attacks are not a terrorist.
    The floods seems to come from an ISP in Turkey named TurkTelecom, many
    of their clients try to syncronize with my server in very intense
    bursts.
    I've also noticed in monlist that most clients have sent like 5
    packets, but some have sent about 50000 packets. Why is this?
    The peaks lasts for about 1 hour, half an hour the connections
    increases dramatically, and for the next halv hour they dicrease.
    There seems to be no special time of day when it happens, it can be
    anytime with a seemingly random delay until the next peak.
    Anyone else got any ideas?


  5. Re: Connection peaks

    "independence" wrote:

    > The floods seems to come from an ISP in Turkey named TurkTelecom, many
    > of their clients try to syncronize with my server in very intense
    > bursts.


    Are you on the NTP pool mailing-list? TurkTelecom's use of the pool
    has been discussed there within the last week:

    http://fortytwo.ch/mailman/pipermail/timekeepers/


    --
    Ronan Flood

  6. Re: Connection peaks

    I have three pool members and the same behaviour - since the
    begining ... For demonstration:

    https://ecoca.eed.usv.ro/mrtg/ntp2usvro_clireq.html

    and

    https://ecoca.eed.usv.ro/mrtg/ntp3usvro_clireq.html

    for two of the servers.


  7. Re: Connection peaks


    >First of all, I'm a bit concerned with your use of the word
    >"terrorist". Here is a definition: One who utilizes the systematic use
    >of violence and intimidation to achieve political objectives, while
    >disguised as a civilian non-combatant.
    >Someone who uses DoS or DDoS attacks are not a terrorist.
    >The floods seems to come from an ISP in Turkey named TurkTelecom, many
    >of their clients try to syncronize with my server in very intense
    >bursts.
    >I've also noticed in monlist that most clients have sent like 5
    >packets, but some have sent about 50000 packets. Why is this?
    >The peaks lasts for about 1 hour, half an hour the connections
    >increases dramatically, and for the next halv hour they dicrease.
    >There seems to be no special time of day when it happens, it can be
    >anytime with a seemingly random delay until the next peak.
    >Anyone else got any ideas?


    The burst of an hour is probably when your system is active
    in the pools DNS server.

    The 50000 packet case is probably buggy software. That's the
    "terrorist". It may be an innocent bug, but it's hard to tell
    the result from what a terrorist would do.

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  8. Re: Connection peaks


    hal-usenet@ip-64-139-1-69.sjc.megapath.net (Hal Murray) writes:
    > The 50000 packet case is probably buggy software. That's the
    > "terrorist". It may be an innocent bug, but it's hard to tell
    > the result from what a terrorist would do.


    The 5000 packets could also be a NAT box with 1000 hosts behind it
    (where each host sends the same 5 packets per volley as the other
    standalone machines.)

    It is a shame that ISP's don't usually even bother adding their NTP
    servers to the list of servers that dhcp knows about. (That is, when
    they even have public ntp servers at all.)

    (In case any ISP'S are listening, all they need to do is add this line
    to their dhcpd.conf file. (Assuming their domain name is example.com
    and their ntp server is called "ntp.example.com".) If they have
    multiple servers then a comma separated list will add all of them to
    the dhcp reply.

    option time-servers ntp.example.com;

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/

  9. Re: Connection peaks

    On Feb 24, 4:56 pm, "Wolfgang S. Rupprecht" +gnus200...@gmail.com> wrote:
    > (In case any ISP'S are listening, all they need to do is add this line
    > to their dhcpd.conf file. (Assuming their domain name is example.com
    > and their ntp server is called "ntp.example.com".) If they have
    > multiple servers then a comma separated list will add all of them to
    > the dhcp reply.


    Except that no widely used NTP software (Windows Time or ntpd)
    actually uses the NTP information in a DHCP packet for anything. So
    why in the heck would ISPs bother?


  10. Re: Connection peaks

    Ryan Malayter wrote:
    > On Feb 24, 4:56 pm, "Wolfgang S. Rupprecht" > +gnus200...@gmail.com> wrote:
    >
    >>(In case any ISP'S are listening, all they need to do is add this line
    >>to their dhcpd.conf file. (Assuming their domain name is example.com
    >>and their ntp server is called "ntp.example.com".) If they have
    >>multiple servers then a comma separated list will add all of them to
    >>the dhcp reply.

    >
    >
    > Except that no widely used NTP software (Windows Time or ntpd)
    > actually uses the NTP information in a DHCP packet for anything. So
    > why in the heck would ISPs bother?
    >


    Perhaps to avoid endless calls to the help desk! "Do you have an NTP
    server available to customers?" "What is its IP address?"

    Of course the customer would have to know that DHCP is capable of this
    and how to configure DHCP to ask for this information. . . .


  11. Re: Connection peaks


    "Ryan Malayter" writes:
    > Except that no widely used NTP software (Windows Time or ntpd)
    > actually uses the NTP information in a DHCP packet for anything. So
    > why in the heck would ISPs bother?


    Fedora certainly uses it if it is provided. The dhclient program
    adds all the received servers to the end of /etc/ntp.conf .

    Since it only takes adding a line or two to a config file, it seems
    awfully lame for ISP's not to add it.

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/

  12. Re: Connection peaks

    On 2007-02-25, Wolfgang S. Rupprecht
    wrote:

    > "Ryan Malayter" writes:
    >
    >> Except that no widely used NTP software (Windows Time or ntpd)
    >> actually uses the NTP information in a DHCP packet for anything. So
    >> why in the heck would ISPs bother?

    >
    > Fedora certainly uses it if it is provided. The dhclient program adds
    > all the received servers to the end of /etc/ntp.conf .


    Debian's packaged (ISC) dhclient generates an /etc/ntp.conf.dhcp _from_
    the existing /etc/ntp.conf; the only changes are in the server
    statements. The original ntp.conf is _not_ over-written.

    Debian's ntp init script will detect and use /etc/ntp.conf.dhcp instead
    of /etc/ntp.conf

    --
    Steve Kostecke
    NTP Public Services Project - http://ntp.isc.org/

  13. Re: Connection peaks


    Steve Kostecke writes:
    > Debian's ntp init script will detect and use /etc/ntp.conf.dhcp instead
    > of /etc/ntp.conf


    That's a very good idea. Fedora has this hack method which tries to
    save the original file, but it eventually gets confused and ends up
    with two copies of the dhcp file, losing the non-dhcpd version
    entirely. For computers that don't move around that doesn't matter
    much, but for laptops that move around it bites you whenever moving
    from a dhcpd server with an ntp entry to one that doesn't.

    Does debian's setup also have a way for stale ntp.conf.dhcp files to
    expire / get deleted?

    -wolfgang
    --
    Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/

+ Reply to Thread