Recent NTP pool traffic increase

Gary E. Miller gem at rellim.com
Sun Dec 18 01:56:32 UTC 2016 

Yo All!

Someone on nanog was reporrting on the new NTP mystery.  He suggested
doing a dump similar to this:

# tcpdump -nvvi eth0 port 123 |grep "Originator - Transmit Timestamp:"

And I do indeed get odd results.  Some on my local network...

This is from a chronyd host to an ntpsec host.  I monitor them both
continuously and both seem to be keeping good time.

17:36:11.369329 IP (tos 0x0, ttl 64, id 21405, offset 0, flags [DF],
proto UDP ( 17), length 76)
    204.17.205.7.50937 > 204.17.205.27.123: [udp sum ok] NTPv4, length
48 Client, Leap indicator: clock unsynchronized (192), Stratum 0
(unspecifi ed), poll 6 (64s), precision 32
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID:
(unspec) Reference Timestamp:  0.000000000
          Originator Timestamp: 3691013707.207257069 (2016/12/17
17:35:07) Receive Timestamp:    276521666.321684728 (2044/11/11
10:02:42) Transmit Timestamp:   3684123061.899235956 (2016/09/29
00:31:01) Originator - Receive Timestamp:  +880475255.114427658
            Originator - Transmit Timestamp: -6890645.308021113

That 'Receive Timestamp' is strange.

Here is another one from the same chronyd host, to another ntpsec host:

17:36:23.395415 IP (tos 0x0, ttl 64, id 3599, offset 0, flags [DF],
proto UDP (1 7), length 76)
    204.17.205.7.33551 > 204.17.205.1.123: [udp sum ok] NTPv4, length 48
        Client, Leap indicator: clock unsynchronized (192), Stratum 0
(unspecifi ed), poll 6 (64s), precision 32
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID:
(unspec) Reference Timestamp:  0.000000000
          Originator Timestamp: 3691013718.824150890 (2016/12/17
17:35:18) Receive Timestamp:    1779216017.648483479 (2092/06/24
18:08:33) Transmit Timestamp:   1405803137.064633429 (2080/08/24
20:20:33) Originator - Receive Timestamp:  -1911797701.175667410
            Originator - Transmit Timestamp: +2009756714.240482539

Note both the 'Receive Timestamp' and 'Transmit Timestamp' are both
strange.

All three hosts have GPS for local time.

Here is one from a laptop, running chrony, that has no GPS:

17:36:52.643814 IP (tos 0x0, ttl 64, id 24624, offset 0, flags [DF],
proto UDP ( 17), length 76)
    204.17.205.21.41485 > 204.17.205.8.123: [udp sum ok] NTPv4, length
48 Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 6 (64s),
pre cision 32
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID:
(unspec) Reference Timestamp:  0.000000000
          Originator Timestamp: 3691013747.797479298 (2016/12/17
17:35:47) Receive Timestamp:    317494016.811980062 (2046/02/28
15:15:12) Transmit Timestamp:   127487236.597620268 (2040/02/21
11:35:32) Originator - Receive Timestamp:  +921447565.014500764
            Originator - Transmit Timestamp: +731440784.800140969

I have only seen this oddity from chronyd hosts...

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20161217/d2f37096/attachment.bin>

More information about the devel mailing list