Zitat von Thomas Pfaff <[email protected]>:
Hello, list.
My ntp server is in the pool and since it was added I've been looking
more closely at the network traffic (out of curiosity) and there's a
few things that has me confused that I was hoping you guys could help
me understand.
Looking at a tcpdump on my external interface I see, obviously, a lot
of ntp requests and responses. Now, once in a while a response gets
answered with an icmp port unreachable, transaction something like
example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 0 (DF)
ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0
prec -6 [tos 0x10]
example.com > ntp.tp76.info: icmp: example.com udp port 2690 unreachable
Why does it say "answer me on port 2690" and when I do I get "sorry,
that port is unreachable"? (read on; graph coming up)
This are either forged sender addresses or a client sitting behind
some firewall or NAT which don't let the answer pass back and rejects
it. We have this too in our traffic.
My second question; why is the ntp traffic so spikey? For an hour I
get about 150 requests per minute and then suddenly I get about 7000
requests per minute for a short time, and then it drops.
Most of the time it is because some devices prefer some fixed time of
day to sync with the pool instead of using a random starttime or
interval. So these clients all rush in at nearly the same time. But
7000 request per minute isn't something to worry about, no? We once
had an offender with ~800 packets per second, it only stopped after
1,2GB Traffic even though we dropped all packets from this IP. The
ntpd doesn't really care anyway, it hummed along with around 5% CPU
usage on a really slow machine even with that packet rate.
Regards
Andreas
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
