Hello,
There are three sets of facts you may want to consider. First, in reports of how security consultants handle denial-of-service defense engagements, the consultants seem to develop ad hoc solutions to determining where the flood of packets are coming from.[1] Second, in one study of Internet time server usage[2, Fig, 2], it was found that one server received requests with these frequencies: DayTime and Time requests (TCP) ~10*2.2 to ~10*2.4 per second (sec). NTP requests (UDP, port 123) ~10^3 per sec with bursts of 10^3.2 to 10^3.4 per sec every 5 minutes. NTP packet requests (UDP, other ports) between ~10^3.2 and ~10^3.5 per sec (depending on the hour of the day) with bursts up to ~10^4 per sec every minute. In total this server experienced a steady stream of about 30,000 requests for time per second (rps), with peaks to 90,000 rps every hour, and smaller peaks to 40,000 rps every half hour. Another server in this group had a steady stream of about 5,000 rps, with peaks to ~40,000 rps every half hour. Both these servers had very heavy peaks of requests at midnight. Third, in my reading of the source code for the Network Time Protocol Daemon (NTPD), the program is optimized to handle a high number of requests per second, not to record who is making the requests. My conclusions from these facts and observations are: 1. Determining who is using an NTP time server is, almost by definition, a Big Data problem, and may require a Big Data solution, but do search with Bing and/or Google first. 2. If you want a high quality solution to finding out who is using an NTP timer server, you may have to provide it yourself. You can download the source code from www.ntp.org and modify it to serve your needs. 3. The book [3] has examples in it of applying open-source big data software to big data problems. I could not make these examples run under Windows, but the book's author assured me that they ran well under Linux. In any case, the examples did not use Spark, which apparently is much easier to use and faster than Hadoop. Charles Elliott References: [1] Menn, Joseph. (2010). Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet. New York, NY: PublicAffairs. [2] Sherman, Jeff A., & Levine, Judah. (2016). Usage Analysis of the NIST Internet Time Service. Journal of Research of the National Institute of Standards and Technology (JRES). doi: http://dx.doi.org/10.6028/jres.121.003 (nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf) [3] Marz, Nathan, & Warren, James. (2015). Big Data: Principles and Best Practices of Scalable Real-Time Data Systems. Shelter Island, NY: Manning Publications. -----Original Message----- From: questions [mailto:questions-bounces+elliott.ch=comcast....@lists.ntp.org] On Behalf Of Johannes Weber Sent: Monday, February 6, 2017 3:11 PM To: questions@lists.ntp.org Subject: [ntp:questions] Monitoring Number of Clients Hello NTP list, I have one question concerning the monstats and mrulist commands. I am monitoring my NTP servers and I want to graph the current clients. I am using the "addresses" line from the monstats output. However, it seems that every client that is gone many days ago (!) is still listed within the "addresses" section and not only in the "peak addresses". Same is true within the mrulist output which lists addresses that have a lstint many days ago. So my question is: How can I get a number of the "most recent" clients, i.e., clients that have a lstint < 2000 or the like. (One bad approach might be to use the mrulist output and to grep all lines that have an lstint < 2000. But I am searching for a better way to do it.) Thanks in advance! Johannes -- Johannes Weber Webernetz.net - Network Security Consulting mail: <mailto:johan...@webernetz.net> johan...@webernetz.net mobile: +49 174 1880211 blog: <https://blog.webernetz.net> https://blog.webernetz.net twitter: @webernetz [1] Links: ------ [1] <https://twitter.com/webernetz> https://twitter.com/webernetz _______________________________________________ questions mailing list <mailto:questions@lists.ntp.org> questions@lists.ntp.org <http://lists.ntp.org/listinfo/questions> http://lists.ntp.org/listinfo/questions _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions