Re: Help me make sense of these traceroutes please
From: Jeroen Massar jer...@massar.ch To: s...@circlenet.us, nanog@nanog.org Subject: Re: Help me make sense of these traceroutes please On 2013-12-25 00:16, Sam Moats wrote: Hello Nanog community, I would like to enlist your help with understanding this latency I'm seeing. You are likely seeing the effects of asymmetric routing. . .. or the effect of passing traffic through NSA infrastructure. SCNR, #m
Re: Help me make sense of these traceroutes please
On Wed, Dec 25, 2013 at 8:03 AM, Martin Hotze m.ho...@hotze.com wrote: On 2013-12-25 00:16, Sam Moats wrote: ... You are likely seeing the effects of asymmetric routing. . .. or the effect of passing traffic through NSA infrastructure. Ah... NSA. That's probably it. So much for my theory of a Router virtual chassis straddling the atlantic. or the extra kinetic energy carried by the overseas-bound packet took longer for the router to absorb and rebound with an ICMP. But in all seriousness --- what is probably happening here, is the result of extra hops that don't show up in traceroute. MPLS tunnels could well fit the bill. Other things to consider when latency seems sensitive to destination IP --- are preceding device in the traceroute might also have multiple links to the same device; with one link congested and some form of IP-based load sharing, that happens to be the toward-overseas link. SCNR, #m -- -JH
Re: Help me make sense of these traceroutes please
On Tue, 24 Dec 2013 19:03:02 -0500, Sam Moats said: Also you'd be amazed how many network issues can be solved with a bunch of IT folks and an ample supply of Guinness I once heard the claim that if you couldn't explain your network design and have the listener understand it after you had split a pitcher of Guiness, it was probably too complicated. pgpwmQleyV_4U.pgp Description: PGP signature
What's going on with NTP?
I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help. The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.) Is this just my special Christmas present, or are there screwed up NTP servers? Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: What's going on with NTP?
On Dec 25, 2013, at 11:35 AM, John Levine jo...@iecc.com wrote: I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help. The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.) Is this just my special Christmas present, or are there screwed up NTP servers? I suspect your servers are being attacked. Are you seeing a lot of in/out NTP traffic on those FreeBSD servers? -jav
Re: What's going on with NTP?
There have been a lot of NTP reflection attacks recently. Think the same as dns amplification. Make sure you restrict access and know how to look at the client list. Jared Mauch On Dec 25, 2013, at 10:42 AM, Javier Henderson jav...@kjsl.org wrote: On Dec 25, 2013, at 11:35 AM, John Levine jo...@iecc.com wrote: I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help. The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.) Is this just my special Christmas present, or are there screwed up NTP servers? I suspect your servers are being attacked. Are you seeing a lot of in/out NTP traffic on those FreeBSD servers? -jav
Re: What's going on with NTP?
On 12/25/2013 11:35 AM, John Levine wrote: I have two FreeBSD servers where the NTP daemons are using double digit CPU percentages today rather than the usual 0.01%. Restarting them didn't help. The clock on my Android phone is five hours slow. (It's not the time zone, I checked that.) Is this just my special Christmas present, or are there screwed up NTP servers? Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly you probably need to configure them correctly with: restrict default ignore and add additional restrict lines if you have need for other legitimate servers to make contact with them. i suspect right now you're providing an ntp amplification attack to the spoofed source address. -david
Re: Help me make sense of these traceroutes please
with a bunch of IT folks and an ample supply of Guinness. My ex used to call it design fluid. :-) Happy holidays, everyone! Anne Anne P. Mitchell, Attorney at Law CEO/President ISIPP SuretyMail Email Accreditation http://www.ISIPP.com Member, Cal. Bar Cyberspace Law Committee Author: Section 6 of the CAN-SPAM Act of 2003 How do you get to the inbox instead of the spam filter? SuretyMail! Helping businesses keep their email out of the junk folder since 1998 http://www.isipp.com/SuretyMail Author, They're Your Kids Too: The Single Father's Guide to Defending Your Fatherhood in a Broken Family Law System http://www.amazon.com/Theyre-Your-Kids-Too-Fatherhood/dp/061551443X
Re: Help me make sense of these traceroutes please
Pitcher of Guinness!?! What blasphemy is this, the only way to drink it is via individually poured pint glasses. Back to the issues I'd say MPLS or GHCQ before NSA. On 25 Dec 2013 15:52, valdis.kletni...@vt.edu wrote: On Tue, 24 Dec 2013 19:03:02 -0500, Sam Moats said: Also you'd be amazed how many network issues can be solved with a bunch of IT folks and an ample supply of Guinness I once heard the claim that if you couldn't explain your network design and have the listener understand it after you had split a pitcher of Guiness, it was probably too complicated.
Re: Help me make sense of these traceroutes please
Thats why you're a bacon zombie. If you were a living person you'd know free beer tastes the same irrespective of the containment vessel. ;) I hope Santa brought all of you what you wanted. If not, blame UPS. Sent from my Mobile Device. Original message From: Bacon Zombie baconzom...@gmail.com Date: 12/25/2013 11:24 AM (GMT-09:00) To: valdis.kletni...@vt.edu Cc: s...@circlenet.us,nanog@nanog.org Subject: Re: Help me make sense of these traceroutes please Pitcher of Guinness!?! What blasphemy is this, the only way to drink it is via individually poured pint glasses. Back to the issues I'd say MPLS or GHCQ before NSA. On 25 Dec 2013 15:52, valdis.kletni...@vt.edu wrote: On Tue, 24 Dec 2013 19:03:02 -0500, Sam Moats said: Also you'd be amazed how many network issues can be solved with a bunch of IT folks and an ample supply of Guinness I once heard the claim that if you couldn't explain your network design and have the listener understand it after you had split a pitcher of Guiness, it was probably too complicated.
Re: What's going on with NTP?
https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html https://www.team-cymru.org/ReadingRoom/Templates/secure-endrun-template.html