[02:41] *** dj_goku has joined #arpnetworks [02:44] *** dj_goku_ has quit IRC (Ping timeout: 250 seconds) [04:34] *** ziyourenxiang has joined #arpnetworks [05:25] everyone adding NTP to their dhcpd after the google announcement? :p [06:37] what google announcement [06:37] please don't say it's the fake time stamp thing [06:37] leap second I mean [07:56] *** Lucifer333 has joined #arpnetworks [08:20] pyvpx: The ones that smear leap seconds? No, it's a silly idea and client applications need to cope with their clocks changing under them for other reasons, so dealing with a leap second should be no problem [08:33] *** ziyourenxiang has quit IRC (Quit: Leaving) [08:42] things neding to doesn't describe reality at all [08:51] i've written more than enough code that cares about leap seconds (satellite data) to think google's smear idea is terrible [08:53] is it terrible for good code, or terrible for bad code? [09:22] mercutio: zeit.arp is also seeing the traffic increase. It's setting off my monitoring constantly :( [09:22] But thanks for mentioning it and the nanog list, at least I can follow along... [09:23] (I really wondered. At a glance, the traffic seemed legit so I put off investigating it.) [09:26] it's mostly mobile providers seemed to be the thing that was known so far [09:27] I don't have finer-grained record on it, alas, so I can't break down connections by source or what their queries looked like. But I do monitor overall bandwidth which has tripled. 12 Dec was averaging 550kbps, the next few days are 723kbps, 1.26mbps, and 1.45mbps [09:28] ahh [09:28] that's much lower than some people see [09:28] some people have seen 20 megabit [09:29] Yeah I saw Dan Brown's stats (http://seclists.org/nanog/2016/Dec/161) but still that's ~10% of his total traffic, that doesn't seem disproportionately high. [09:29] Well zeit.arp is a relatively low stratum, 2 or 3 I think. [09:29] (I assume higher stratum, eg 1, get more traffic from the NTP Pool) [09:30] In any case, it's better to talk about relative increases rather than absolute numbers. He's see quadruple the bw, we've seen triple, it's all... weird. [09:30] hmm [09:30] (Zeit used to do ~5GB/day, yesterday it did 15GB :/) [09:30] yeh [09:31] some of the servers in thsi neck of the woods bailed ouit recently [09:31] which i think pushed traffic up further [09:31] and they're seeing US traffic as well for some reason [09:32] i dunno why there's so many posts here [09:32] err on nznog [09:32] And this is the traffic from my own VPS which I also have setup in the Pool under a fairly low stratum) http://imgur.com/a/Ixs1U [09:32] there's 19 posts on nznog, 13 posts on nanog [09:33] hmm it looks like it started to go up slower [09:33] on monday [09:35] Looking at the current traffic to Zeit (and hammering rDNS) I'm seeing a surprising number out UK clients [09:35] (BT, Ireland ISPs, etc) [09:36] (Virgin Mobile, Telus Canada which I know is not UK) [09:36] (Norway, Sweden, Germany...) [09:37] I think I'm most surprised to see requests from AWS EC2 instances though. [09:37] Not a ton, but a few. [09:37] (France, The Netherlands, Switzerland, Brazil) [09:38] (Belgium, Argentina) [09:45] hmm that is curious [09:46] so yeah there's two things, the geo location seems wrong [09:46] and no-one knows why there's heaps more traffic [09:47] I was hoping it was something obvious like "Amazon turned on NTP inside all new EC2 instances" but... 1) That's dumb, and 2) I should see more traffic then, probably. [12:33] *** Lucifer333 has quit IRC (Quit: Leaving) [12:53] *** hive-mind has quit IRC (Remote host closed the connection) [12:54] *** hive-mind has joined #arpnetworks [16:28] *** dj_goku has quit IRC (Remote host closed the connection) [16:54] *** ziyourenxiang has joined #arpnetworks [17:06] *** dj_goku has joined #arpnetworks [17:40] *** Nahual has joined #arpnetworks [18:06] what tool / software / config can I use to authenticate BGP prefixes to originate from respective ASNs? [18:08] RPKI [18:09] it's hardly used though [18:10] like DNSSEC :-) [18:28] https://www.youtube.com/watch?v=P65XdTlk4vA [18:28] YouTube video: "Jonathan Zittrain: The Web as random acts of kindness" by TED [18:37] DNSSEC is used heaps now [18:37] dnscurve is hardly used [19:15] *** Nahual has left [19:21] @google dnscurve [19:21] 1,440 total results returned for 'dnscurve', here's 3 [19:21] DNSCurve - Wikipedia (https://en.wikipedia.org/wiki/DNSCurve) DNSCurve is a proposed new secure protocol for the Domain Name System ( DNS), designed by Daniel J. Bernstein. Contents. [hide]. 1 Description; 2 Security  ... [19:21] GitHub - mdempsky/dnscurve: Tools for DNS curve implementation (https://github.com/mdempsky/dnscurve) Tools for DNS curve implementation. Contribute to dnscurve development by creating an account on GitHub. [19:21] DNSCurve – Wikipedia (https://de.wikipedia.org/wiki/DNSCurve) DNSCurve ist eine Technik zur sicheren Auflösung von Domain-Namen in IP- Adressen. Autor des im August 2008 veröffentlichen Protokoll-Vorschlags ist der  ... [19:22] cloudflare has support for dnssec [19:22] even on their free tier [19:23] * brycec makes use of it :) [19:24] I used to be a heavy dnsmadeeasy user, but can't beat free and all sorts of caching / security features with cloudflare [19:24] does pool.ntp.org resolve to zeit for close clients? [19:24] ie is it part of the public pool? [19:24] It should, yes. [19:25] (otherwise I have no idea how France, Belgium, Germany, the Netherlands, UK... got the address) [19:25] was the spike in traffic across both v4 and v6? [19:26] I can't say for certain, I only monitor the traffic at the interface level. [19:26] Doing periodic tcpdumps, traffic is 99% v4 [19:28] do you also monitor skew and time corrections on the vm itself? [19:31] What's really interesting to me is that, at least according to tcpdump's protocol identification, ip6 traffic is exclusively ntpv2 and ntpv3 clients, while ip traffic is about 98% ntpv4 [19:32] Yes. It's pretty stable. And perks of NTP, it handles itself fairly well. [19:47] you would think the ipv6 clients would be more capable and request later version of ntp protocol [19:48] dns queries to pool.ntp.org dont seem to return AAAA records when requested [19:51] But 2.pool.ntp.org does [19:52] So any clients with [0123].pool.ntp.org configured, as I've often seen in default ntp.conf will still hit it [19:53] the nanog list mentioned an IOT provider that had configured something differently [19:54] didnt name the provider or device though [19:56] Did it? I don't remember seeing anything like that http://seclists.org/nanog/2016/Dec/index.html#159 [19:57] nznog actually [19:58] I have them in the same label in gmail [19:58] "The chatter in #ntp on IRC infers that it was through a change made by a IoT vendor (though that's all the info that's been given, so take that with as much salt as you wish)." [19:59] https://list.waikato.ac.nz/pipermail/nznog/2016-December/022411.html [20:00] Oh nznog :p [20:01] Folks down under need ntp too :-) [20:01] (Thanks for thelink) [20:01] (I didn't have a link to nznog archives) [20:02] there is also AUSnog which I follow: http://lists.ausnog.net/pipermail/ausnog/ [20:04] yeh i dunno why nznog had so much discussion :) [20:08] time servers are 'critical' infrastructure for the internet, kinda like dns servers 'maybe' - it is essential to have them up and running and a spike in traffic of such extent can lead to insufficient capacity to deal with legitimate queries assuming the excess traffic is not legit [20:28] so what's all this about increase in NTP traffic.... [20:28] why exactly would Zeit be getting more traffic now? [20:31] up_the_irons: because zeit is a member of pool.ntp.org [20:31] And pool.ntp.org is seeing an unexplained increase in traffic [20:32] It's legitimate traffic so far as anyone can tell, at least. (And not something nefarious like a DDoS or amplification attack) [20:33] https://lists.ntp.org/pipermail/pool/2016-December/007997.html [20:34] this guy had to shut off his ntp server to get his firewall working [20:34] (Though to be fair, it was a Cisco ASA *rimshot*) [20:35] Just a thought, yesterday was Microsoft patch day. If MS added the pool to all the Windows clients out there, that could certainly account for this traffic. [20:35] ^ lol [20:35] (yeah saw that message) [20:35] Windows still defaults to time.windows.com last I checked. [20:36] where is the page that shows you health of individual servers etc [20:37] I think I was looking for http://www.pool.ntp.org/scores/208.79.89.249 [20:37] http://www.pool.ntp.org/scores/2607:f2f8:a650::3 [20:37] Yeah [20:38] Zeit ip6 http://www.pool.ntp.org/scores/2607:f2f8:0:102::2317 [20:38] Zeit ip4 http://www.pool.ntp.org/scores/208.79.89.249 [20:38] for those interested [20:39] brycec: ah OK [20:39] I forgot it was part of that pool [20:39] lol [20:39] up_the_irons: Sorry about the unexpected, unexplained tripling in traffic [20:40] http://irclogger.arpnetworks.com/irclogger_log/arpnetworks?date=2014-06-19,Thu&sel=389#l385 [20:41] wow its been 2.5 years [20:41] (Geez look at nathani pulling a brycec, quoting the logs) [20:42] too bad brycebot didnt pull the quote from the url and paste it into the channel :-) [20:42] Maybe someday [20:43] brycec: do you know what the Mbps is? [20:43] up_the_irons: Yes. [20:43] Today's average is 1.89mbps [20:43] Yesterday's is 1.45mbps [20:43] day before 1.26 [20:44] thats like 20gb/day [20:44] OK tnx [20:44] so not bad [20:45] I guess folks are concerned if it keeps increasing like that [20:45] the list mentioned 20mbps in some cases [20:45] also its small packets so max pps on firewalls etc [20:46] 16.72GB so far today, yes nathani [20:47] 14.92GB yesterday [20:47] fwiw zeit is configured as 100mbps North America [20:48] wow [20:49] i suppose there's lots of higher bandwidth ones [20:49] it sounded like 50 megabit ones were getting hit hard before [20:51] (today's average is up to 1.91mbps, total 17.01GB, 8.58GB inbound + 8.42GB outbound) [20:52] how is cpu load? [20:53] have you seen https://developers.google.com/time/ [20:53] fairly low, 0-10% CPU usage [20:53] I saw mentions of it. I... don't approve. [20:54] (of "smearing") [20:54] what about all the apps that cant handle leap seconds [20:54] Fix the app. [20:54] Duh :p [20:55] Frankly I don't think I've encountered an application that can't handle leap seconds [20:57] if folks use standard ntp you can correlate events from different systems and be sure the timestamps refer to the same time. No translation as in the case of smearing [20:58] (I mean, I'm not saying affected applications don't exist. I just haven't encountered one personally)