#arpnetworks 2016-12-16,Fri

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***dj_goku has joined #arpnetworks
dj_goku_ has quit IRC (Ping timeout: 250 seconds)
[02:41]
....................... (idle for 1h50mn)
ziyourenxiang has joined #arpnetworks [04:34]
........... (idle for 51mn)
pyvpxeveryone adding NTP to their dhcpd after the google announcement? :p [05:25]
............... (idle for 1h12mn)
mkbwhat google announcement
please don't say it's the fake time stamp thing
leap second I mean
[06:37]
................ (idle for 1h19mn)
***Lucifer333 has joined #arpnetworks [07:56]
..... (idle for 24mn)
plettpyvpx: The ones that smear leap seconds? No, it's a silly idea and client applications need to cope with their clocks changing under them for other reasons, so dealing with a leap second should be no problem [08:20]
***ziyourenxiang has quit IRC (Quit: Leaving) [08:33]
mercutiothings neding to doesn't describe reality at all [08:42]
jcvi've written more than enough code that cares about leap seconds (satellite data) to think google's smear idea is terrible [08:51]
mercutiois it terrible for good code, or terrible for bad code? [08:53]
...... (idle for 29mn)
brycecmercutio: zeit.arp is also seeing the traffic increase. It's setting off my monitoring constantly :(
But thanks for mentioning it and the nanog list, at least I can follow along...
(I really wondered. At a glance, the traffic seemed legit so I put off investigating it.)
[09:22]
mercutioit's mostly mobile providers seemed to be the thing that was known so far [09:26]
brycecI don't have finer-grained record on it, alas, so I can't break down connections by source or what their queries looked like. But I do monitor overall bandwidth which has tripled. 12 Dec was averaging 550kbps, the next few days are 723kbps, 1.26mbps, and 1.45mbps [09:27]
mercutioahh
that's much lower than some people see
some people have seen 20 megabit
[09:28]
brycecYeah I saw Dan Brown's stats (http://seclists.org/nanog/2016/Dec/161) but still that's ~10% of his total traffic, that doesn't seem disproportionately high.
Well zeit.arp is a relatively low stratum, 2 or 3 I think.
(I assume higher stratum, eg 1, get more traffic from the NTP Pool)
In any case, it's better to talk about relative increases rather than absolute numbers. He's see quadruple the bw, we've seen triple, it's all... weird.
[09:29]
mercutiohmm [09:30]
brycec(Zeit used to do ~5GB/day, yesterday it did 15GB :/) [09:30]
mercutioyeh
some of the servers in thsi neck of the woods bailed ouit recently
which i think pushed traffic up further
and they're seeing US traffic as well for some reason
i dunno why there's so many posts here
err on nznog
[09:30]
brycecAnd this is the traffic from my own VPS which I also have setup in the Pool under a fairly low stratum) http://imgur.com/a/Ixs1U [09:32]
mercutiothere's 19 posts on nznog, 13 posts on nanog
hmm it looks like it started to go up slower
on monday
[09:32]
brycecLooking at the current traffic to Zeit (and hammering rDNS) I'm seeing a surprising number out UK clients
(BT, Ireland ISPs, etc)
(Virgin Mobile, Telus Canada which I know is not UK)
(Norway, Sweden, Germany...)
I think I'm most surprised to see requests from AWS EC2 instances though.
Not a ton, but a few.
(France, The Netherlands, Switzerland, Brazil)
(Belgium, Argentina)
[09:35]
mercutiohmm that is curious
so yeah there's two things, the geo location seems wrong
and no-one knows why there's heaps more traffic
[09:45]
brycecI was hoping it was something obvious like "Amazon turned on NTP inside all new EC2 instances" but... 1) That's dumb, and 2) I should see more traffic then, probably. [09:47]
.................................. (idle for 2h46mn)
***Lucifer333 has quit IRC (Quit: Leaving) [12:33]
..... (idle for 20mn)
hive-mind has quit IRC (Remote host closed the connection)
hive-mind has joined #arpnetworks
[12:53]
........................................... (idle for 3h34mn)
dj_goku has quit IRC (Remote host closed the connection) [16:28]
...... (idle for 26mn)
ziyourenxiang has joined #arpnetworks [16:54]
dj_goku has joined #arpnetworks [17:06]
....... (idle for 34mn)
Nahual has joined #arpnetworks [17:40]
...... (idle for 26mn)
nathaniwhat tool / software / config can I use to authenticate BGP prefixes to originate from respective ASNs? [18:06]
mercutioRPKI
it's hardly used though
[18:08]
nathanilike DNSSEC :-) [18:10]
.... (idle for 18mn)
https://www.youtube.com/watch?v=P65XdTlk4vA [18:28]
BryceBotYouTube video: "Jonathan Zittrain: The Web as random acts of kindness" by TED [18:28]
mercutioDNSSEC is used heaps now
dnscurve is hardly used
[18:37]
........ (idle for 38mn)
***Nahual has left [19:15]
nathani@google dnscurve [19:21]
BryceBot1,440 total results returned for 'dnscurve', here's 3
DNSCurve - Wikipedia (https://en.wikipedia.org/wiki/DNSCurve) DNSCurve is a proposed new secure protocol for the Domain Name System ( DNS), designed by Daniel J. Bernstein. Contents. [hide]. 1 Description; 2 Security  ...
GitHub - mdempsky/dnscurve: Tools for DNS curve implementation (https://github.com/mdempsky/dnscurve) Tools for DNS curve implementation. Contribute to dnscurve development by creating an account on GitHub.
DNSCurve – Wikipedia (https://de.wikipedia.org/wiki/DNSCurve) DNSCurve ist eine Technik zur sicheren Auflösung von Domain-Namen in IP- Adressen. Autor des im August 2008 veröffentlichen Protokoll-Vorschlags ist der  ...
[19:21]
nathanicloudflare has support for dnssec
even on their free tier
[19:22]
brycecbrycec makes use of it :) [19:23]
nathaniI used to be a heavy dnsmadeeasy user, but can't beat free and all sorts of caching / security features with cloudflare
does pool.ntp.org resolve to zeit for close clients?
ie is it part of the public pool?
[19:24]
brycecIt should, yes.
(otherwise I have no idea how France, Belgium, Germany, the Netherlands, UK... got the address)
[19:24]
nathaniwas the spike in traffic across both v4 and v6? [19:25]
brycecI can't say for certain, I only monitor the traffic at the interface level.
Doing periodic tcpdumps, traffic is 99% v4
[19:26]
nathanido you also monitor skew and time corrections on the vm itself? [19:28]
brycecWhat's really interesting to me is that, at least according to tcpdump's protocol identification, ip6 traffic is exclusively ntpv2 and ntpv3 clients, while ip traffic is about 98% ntpv4
Yes. It's pretty stable. And perks of NTP, it handles itself fairly well.
[19:31]
.... (idle for 15mn)
nathaniyou would think the ipv6 clients would be more capable and request later version of ntp protocol
dns queries to pool.ntp.org dont seem to return AAAA records when requested
[19:47]
brycecBut 2.pool.ntp.org does
So any clients with [0123].pool.ntp.org configured, as I've often seen in default ntp.conf will still hit it
[19:51]
nathanithe nanog list mentioned an IOT provider that had configured something differently
didnt name the provider or device though
[19:53]
brycecDid it? I don't remember seeing anything like that http://seclists.org/nanog/2016/Dec/index.html#159 [19:56]
nathaninznog actually
I have them in the same label in gmail
"The chatter in #ntp on IRC infers that it was through a change made by a IoT vendor (though that's all the info that's been given, so take that with as much salt as you wish)."
https://list.waikato.ac.nz/pipermail/nznog/2016-December/022411.html
[19:57]
brycecOh nznog :p [20:00]
nathaniFolks down under need ntp too :-) [20:01]
brycec(Thanks for thelink)
(I didn't have a link to nznog archives)
[20:01]
nathanithere is also AUSnog which I follow: http://lists.ausnog.net/pipermail/ausnog/ [20:02]
mercutioyeh i dunno why nznog had so much discussion :) [20:04]
nathanitime servers are 'critical' infrastructure for the internet, kinda like dns servers 'maybe' - it is essential to have them up and running and a spike in traffic of such extent can lead to insufficient capacity to deal with legitimate queries assuming the excess traffic is not legit [20:08]
..... (idle for 20mn)
up_the_ironsso what's all this about increase in NTP traffic....
why exactly would Zeit be getting more traffic now?
[20:28]
brycecup_the_irons: because zeit is a member of pool.ntp.org
And pool.ntp.org is seeing an unexplained increase in traffic
It's legitimate traffic so far as anyone can tell, at least. (And not something nefarious like a DDoS or amplification attack)
[20:31]
nathanihttps://lists.ntp.org/pipermail/pool/2016-December/007997.html
this guy had to shut off his ntp server to get his firewall working
[20:33]
brycec(Though to be fair, it was a Cisco ASA *rimshot*) [20:34]
nathaniJust a thought, yesterday was Microsoft patch day. If MS added the pool to all the Windows clients out there, that could certainly account for this traffic.
^ lol
[20:35]
brycec(yeah saw that message)
Windows still defaults to time.windows.com last I checked.
[20:35]
nathaniwhere is the page that shows you health of individual servers etc
I think I was looking for http://www.pool.ntp.org/scores/208.79.89.249
[20:36]
brycechttp://www.pool.ntp.org/scores/2607:f2f8:a650::3
Yeah
Zeit ip6 http://www.pool.ntp.org/scores/2607:f2f8:0:102::2317
Zeit ip4 http://www.pool.ntp.org/scores/208.79.89.249
for those interested
[20:37]
up_the_ironsbrycec: ah OK
I forgot it was part of that pool
[20:39]
bryceclol
up_the_irons: Sorry about the unexpected, unexplained tripling in traffic
[20:39]
nathanihttp://irclogger.arpnetworks.com/irclogger_log/arpnetworks?date=2014-06-19,Thu&sel=389#l385
wow its been 2.5 years
[20:40]
brycec(Geez look at nathani pulling a brycec, quoting the logs) [20:41]
nathanitoo bad brycebot didnt pull the quote from the url and paste it into the channel :-) [20:42]
brycecMaybe someday [20:42]
up_the_ironsbrycec: do you know what the Mbps is? [20:43]
brycecup_the_irons: Yes.
Today's average is 1.89mbps
Yesterday's is 1.45mbps
day before 1.26
[20:43]
nathanithats like 20gb/day [20:44]
up_the_ironsOK tnx
so not bad
[20:44]
nathaniI guess folks are concerned if it keeps increasing like that
the list mentioned 20mbps in some cases
also its small packets so max pps on firewalls etc
[20:45]
brycec16.72GB so far today, yes nathani
14.92GB yesterday
fwiw zeit is configured as 100mbps North America
[20:46]
mercutiowow
i suppose there's lots of higher bandwidth ones
it sounded like 50 megabit ones were getting hit hard before
[20:48]
brycec(today's average is up to 1.91mbps, total 17.01GB, 8.58GB inbound + 8.42GB outbound) [20:51]
nathanihow is cpu load?
have you seen https://developers.google.com/time/
[20:52]
brycecfairly low, 0-10% CPU usage
I saw mentions of it. I... don't approve.
(of "smearing")
[20:53]
nathaniwhat about all the apps that cant handle leap seconds [20:54]
brycecFix the app.
Duh :p
Frankly I don't think I've encountered an application that can't handle leap seconds
[20:54]
nathaniif folks use standard ntp you can correlate events from different systems and be sure the timestamps refer to the same time. No translation as in the case of smearing [20:57]
brycec(I mean, I'm not saying affected applications don't exist. I just haven't encountered one personally) [20:58]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)