70 minute traffic pattern

A brief note for future self and possibly others. I’m migrating one NTP server to a newer host, because the old host’s operating system is approaching its EOL date. The old server was removed from the pool in late November, but it will still respond to NTP queries. This server was configured for the “cn” zone in the pool

The server was recently offline for a few hours. When it came back online, I noticed an odd spike pattern:
The server came back just before midnight UTC. You may notice a small spike just before midnight’s red line. Every 70 minutes from midnight there’s another small spike until the end of the graph. The traffic seems to level off later on.

This was not a problem for me at all, but I thought it was interesting. I believe these clients were polling the server every 70 minutes (which is fine), but when they didn’t get a response (when the server was offline) they started polling more frequently. Otherwise these clients wouldn’t have synchronized to start polling regularly again at 70 minute intervals at midnight UTC. What I don’t know is how often they tried to poll when the server was offline. Hopefully it was something sane, like every 5 minutes. I guess I could find this out by stopping chrony and running tcpdump for a few hours. Maybe some day when I don’t have anything else to do.


I guess you do not know the number of clients generating this odd traffic, beacuse you did not do packet capture. Sometimes it is just one client flooding your server.

Some time ago I noticed a similar pattern after rebooting a server, but the period was much shorter, about 30 seconds:

It disappeared in an hour:

1 Like