More abusive NTP clients, this time from Germany

Server operators
1

Miroslav observed unexplained NTP request bursts coming from clients in Germany. The duration of the bursts varied, but was often ~140 seconds. During a burst hundreds to thousand of clients might each send ~200 NTP requests.
So far no NTP server disruptions have been seen, but it is worrisome.

Based on our tcpdump analysis we currently suspect some type of IP-aware appliance: It could be some network related phenomenon.
The behavior may extend past Germany, we’re still analyzing.

Has anyone observed similar behavior? Packet captures would be welcome.

2

Is it isolated to ipv4 or ipv6 traffic or both?
Any observed pattern (every x hours).

1 Like
3

The TTL on pool A/AAAA responses seems to be 129 currently. I wonder if the misbehavior then switches to another set of pool server victims.

4

So far we’ve only seen it on IPv4. Maybe 2-3 bursts/hour with no obvious periodicity.

5

I’m seeing similar traffic patterns on my server in Germany. But they are not a new phenomenon - they have been there ever since I first monitored my NTP server traffic in Germany, at least half a year ago. Nevertheless they are worth investigating.

I’ll do a packet cap later

6

grafik
grafik2518×1109 287 KB

Graph for anyone interested - green are handled requests, yellow are dropped requests

7

Can you share any individual IP addresses or ranges? Happy to grab you some packet captures if I’m seeing any of their traffic.

8

IIRC there was an german heating manufactor some time ago which also “abused” the pool.
Ahh quick search: How to NOT use the NTP Pool
Maybe they doing it again :see_no_evil:

9

Nice article, thanks. The NTP client described in this article has a different signature, NTP requests every 7 seconds. The abusive clients I mentioned could be IoT devices.

11

One range to look at is 62.54.0.0/16

12

That is an Internet Service Provider. So … yea … maybe bad rollout for new router firmware.

13

@stevesommars I got a small amount of traffic from that block; emailed you a PCAP. @mlichvar do you want a copy as well?

14

The pcap contains one NTP client in the 62.54.0.0/16 subnet and it didn’t generate much traffic. I suggested Paul try a different capture filter.

15

The only capture filter on it was the IP range. :smile: I didn’t expect much traffic, since I’m not in a zone that will likely receive much traffic from that range.