Deleted server and incoming traffic

Hi friends,

My personal ntp server at home is keeping receiving a lot of UDP 123 NTP requests from random IPs, i’ve deleted it from the system because i’m participating of a group that have interest in have a NTP server in our headquarters, but we have a problem: we just can have acces to internet with 3G or 4G operators, because is cheap for us and we dont use a lot, this manner of connect to internet consists in a package what is limited by a monthly quota, when participating the pool the data traffic can easily go more than 1GB / day! And now i’m getting after 8 hours almost 100MB of UDP 123 traffic here, i think this is because my personal IP is in DNS system yet, dont?

-> Why the server in 3G / 4G is related to my IP? With 3G / 4G we cant access NTP externaly because we have a lot of NAT layers that only operator have acces, so to server work i’ve done a SSH tunnel from the headquarters to my router, this tunnel have a TCP traffic loading NTP packets. The NTP packets are converted to TCP in server side and in my router, backed to UDP packets. It is working great because for now i’m not with this server in our headquarters, jus in home yet for testing.

Regards,

Luiz

Ongoing traffic after deleting a server is normal and should be expected. The following is stated very clearly on the join page, and referenced again on the manage / add server page:

Finally, I must emphasize that joining the pool is a long term commitment . We are happy to take you out of the pool again if your circumstances change, but because of how the ntp clients operate it will take weeks, months or even YEARS before the traffic completely goes away .

2 Likes

Just close your incoming port and it’s over.

Not quite that simple. Blocking the port will stop the traffic from making it past wherever that firewall is located in your network, that’s all. You’ll still see that inbound traffic hitting your firewall (and therefore using some of your inbound bandwidth) for a considerable period of time after removing the server from the pool.

If you actually need the traffic completely off whatever links it’s arriving on, and you aren’t prepared to wait for it to die down naturally, you’ll need to get your upstream provider(s) to block it for you instead.

Asking upstream providers to block NTP traffic is a last resort option. It may affect other nearby connections depending on the block they impose and you’ll probably not be able to install an NTP server ever again on that IP address.

Much better is to keep the NTP daemon running and respond with KOD packets. KOD packets are part of the standard since January 2006 and should work on all well behaving NTPv4 and SNTPv4 clients.

1 Like

I agree that upstream blocks aren’t ideal. If keeping the server running, or sending KoD packets, or even just ignoring or firewalling the traffic locally are options, then that is preferable. None of those choices actually get rid of all the traffic in a timely manner though.

if the server continues to work, you can firewall it with a TTL and block “distant” hosts.
You can also request a IP replacement from your ISP. It’s good practice to warn the provider that a server has been installed at this address and that some traffic is still going to it.