More abusive NTP clients, this time from Germany

Miroslav observed unexplained NTP request bursts coming from clients in Germany. The duration of the bursts varied, but was often ~140 seconds. During a burst hundreds to thousand of clients might each send ~200 NTP requests.
So far no NTP server disruptions have been seen, but it is worrisome.

Based on our tcpdump analysis we currently suspect some type of IP-aware appliance: It could be some network related phenomenon.
The behavior may extend past Germany, we’re still analyzing.

Has anyone observed similar behavior? Packet captures would be welcome.

Is it isolated to ipv4 or ipv6 traffic or both?
Any observed pattern (every x hours).

1 Like

The TTL on pool A/AAAA responses seems to be 129 currently. I wonder if the misbehavior then switches to another set of pool server victims.

So far we’ve only seen it on IPv4. Maybe 2-3 bursts/hour with no obvious periodicity.

I’m seeing similar traffic patterns on my server in Germany. But they are not a new phenomenon - they have been there ever since I first monitored my NTP server traffic in Germany, at least half a year ago. Nevertheless they are worth investigating.

I’ll do a packet cap later

Graph for anyone interested - green are handled requests, yellow are dropped requests

Can you share any individual IP addresses or ranges? Happy to grab you some packet captures if I’m seeing any of their traffic.

IIRC there was an german heating manufactor some time ago which also “abused” the pool.
Ahh quick search: How to NOT use the NTP Pool
Maybe they doing it again :see_no_evil:

Nice article, thanks. The NTP client described in this article has a different signature, NTP requests every 7 seconds. The abusive clients I mentioned could be IoT devices.

One range to look at is

That is an Internet Service Provider. So … yea … maybe bad rollout for new router firmware.

@stevesommars I got a small amount of traffic from that block; emailed you a PCAP. @mlichvar do you want a copy as well?

The pcap contains one NTP client in the subnet and it didn’t generate much traffic. I suggested Paul try a different capture filter.

The only capture filter on it was the IP range. :smile: I didn’t expect much traffic, since I’m not in a zone that will likely receive much traffic from that range.