Strange NTP traffic

[SpinyNorman]

Hi Everyone,

I got a massive bill this month because I apparently went out of bundle and used about 20GB of data without knowing it. I got the provider concerned to send me a detailed data usage report. Most of the traffic seems to be NTP (Network time protocol) requests. Here's an extract:

[table="width: 500, class: grid"]
[tr]
[td]StartDateTime[/td]
[td]EndDateTime[/td]
[td]ServiceDomain[/td]
[td]Protocol[/td]
[td]UplinkVolume(KB)[/td]
[td]DownlinkVolume(KB)[/td]
[td]TotalVolume(KB)[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:35[/td]
[td]2013-03-02 10:13:37[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]8.74[/td]
[td]491.26[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:37[/td]
[td]2013-03-02 10:13:39[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]9.04[/td]
[td]490.96[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:39[/td]
[td]2013-03-02 10:13:41[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]8.58[/td]
[td]491.42[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:41[/td]
[td]2013-03-02 10:13:43[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]9.25[/td]
[td]490.75[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:43[/td]
[td]2013-03-02 10:13:45[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]8.89[/td]
[td]491.11[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:46[/td]
[td]2013-03-02 10:13:48[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]14.43[/td]
[td]485.57[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:48[/td]
[td]2013-03-02 10:13:50[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]9.14[/td]
[td]490.86[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:50[/td]
[td]2013-03-02 10:13:51[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]4.72[/td]
[td]495.28[/td]
[td]500.00[/td]
[/tr]
[tr]
[td]2013-03-02 10:13:51[/td]
[td]2013-03-02 10:13:54[/td]
[td]133.100.9.2[/td]
[td]NTP (Network Time Protocol)[/td]
[td]14.39[/td]
[td]485.61[/td]
[td]500.00[/td]
[/tr]
[/table]

What seems strange to me is that even though the uplink and downlink volumes vary, the total always comes out to an even 500KB. The other thing that is strange is the volume itself. 500KB at a time to syncronise time makes no sense. I'm trying to get to the bottom of where this issue is coming from. If I can prove it's a fault with the provider then that would save me some money. If it's an issue with my setup then I'd like to find it and sort it out so that this doesn't continue. I also think it's slightly suspicious that that volume of traffic was able to get through every couple of seconds. Whilst it's theoretically possible and I have had download speeds of around 700KB/s before, that's definitely not the norm with this provider and there are times when I only have EDGE coverage!

I have a 3G USB modem plugged into a TP-Link 3G Wireless router. Any suggestions as to what I can do to get to the bottom of this? Do you think it's more likely incorrect recording by the provider, or is more likely there is something wrong with my setup?

 

[ginggs]

Is your TP-Link router configured to get the time from an NTP server? Which one?

133.100.9.2 is clock.nc.fukuoka-u.ac.jp
http://support.ntp.org/bin/view/Servers/PublicTimeServer000230

Edit: Here's a recent Novell bug requesting that the server be removed from the NTP list:
https://bugzilla.novell.com/show_bug.cgi?id=808223

Google Translate not doing such a good job with the Japanese references, but I think they are saying the server is overloaded, please use a different one.

I suggest you find which device on your network is configured to fetch its time from 133.100.9.2 is clock.nc.fukuoka-u.ac.jp and change it to 196.25.1.1.

 

[SpinyNorman]

Thanks for the quick response. I will check my router configuration when I get home. Even if the NTP server is overloaded, do you think 500KBs per request is realistic? I'm trying to understand how I can just over 19GB of NTP traffic in a month.

Edit: The other thing is that this server accounts for about 11GB of the 19GB. The other 8.5GB is from some other IPs (192.36.144.22, 199.165.76.11, 128.138.140.44, 129.7.1.66 etc). These are also all logged at a neat 500KB total despite fluctuating downlink and uplink volumes.

 

[ginggs]

Thanks for the quick response. I will check my router configuration when I get home. Even if the NTP server is overloaded, do you think 500KBs per request is realistic? I'm trying to understand how I can just over 19GB of NTP traffic in a month.

No, a reply from a working NPT server should be a couple of bytes.

Edit: The other thing is that this server accounts for about 11GB of the 19GB. The other 8.5GB is from some other IPs (192.36.144.22, 199.165.76.11, 128.138.140.44, 129.7.1.66 etc). These are also all logged at a neat 500KB total despite fluctuating downlink and uplink volumes.

The fact that you're getting the same 500KB totals from other servers sounds like too much of a coincidence to me.

Who is the provider? Maybe their system is incorrectly billing you for a minimum of 500KB, or maybe they only bill when the traffic reaches 500KB.

 

[guest2013-1]

sounds like a DDos attack

 

[ginggs]

192.36.144.22 is ntp1.sth.netnod.se
199.165.76.11 is ntp.alaska.edu
128.138.140.44 is india.colorado.edu
129.7.1.66 is tick.uh.edu

 

[The_Unbeliever]

Best practice : Set up one NTP server to request NTP update from random time servers once a day (Smoothwall have this feature). Only do this if you're 100% sure that the "drift" on your NTP server is within an acceptable degree.

Then, LAN clients can query your NTP server to their heart's contents (updates every 30 minutes or whatever you prefer).

This way you can cut out a lot of superflous NTP requests.

As I'm on an uncapped ADSL line, I've set my Smoothwall to update its time from random, multiple NTP servers every hour. Works quite nice too.

Here is a detailed breakdown of a typical NTP packet : http://www.meinbergglobal.com/english/info/ntp-packet.htm

 

[PsyWulf]

Those IPs are definitely responding to NTP requests,you'd have to sniff the packets to see why they happen to round down to 500k. Typical NTP packet size should be less than 128bytes

 

[ginggs]

Those IPs are definitely responding to NTP requests,you'd have to sniff the packets to see why they happen to round down to 500k. Typical NTP packet size should be less than 128bytes

I think the 500KB is the billing increment, so 8.74KB and 491.26KB is actually hundreds or thousands of requests.

I think OP has a misconfigured piece of hardware or software that is continuously spamming those NTP servers.

 

[SpinyNorman]

I think the 500KB is the billing increment, so 8.74KB and 491.26KB is actually hundreds or thousands of requests.

I think OP has a misconfigured piece of hardware or software that is continuously spamming those NTP servers.

Thanks for all of the feedback everyone. I really appreciate it. I suspect it might be my router sending the NTP requests. Will check the config when I get home. The provider is Cell C. When you say the billing increment is 500KB, do you mean they charge me for 500KB even if I only used 8.47KB, or are they simply grouping all the requests into 500KB chunks (in other words I have actually had 19GB of NTP traffic)?

 

[AnimateX]

Might be that you have landed up with a bad model or firmware. D-link, Netgear and SMC have all had incidents where certain models flooded NTP servers due to bugs in their NTP implementation.

http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse

I can't find any bugs related to TP-link specifically but if you can't find anything wrong with your configuration, do have a look if there are any firmware updates for your model.

 

[ginggs]

When you say the billing increment is 500KB, do you mean they charge me for 500KB even if I only used 8.47KB, or are they simply grouping all the requests into 500KB chunks (in other words I have actually had 19GB of NTP traffic)?

I think they're grouping incoming and outbound traffic into chunks of 500KB for billing purposes.

Imagine how long your itemized bill would be if they did it packet by packet.

 

[ambo]

I suggest you find which device on your network is configured to fetch its time from 133.100.9.2 is clock.nc.fukuoka-u.ac.jp and change it to 196.25.1.1.

You really don't want to do that.

There have been numerous incidents of time server being completely killed when their IPs were hard-coded too many times over.

Rather use http://www.pool.ntp.org/

If you use the following NTP addresses then you'll get load balanced to local servers:

0.za.pool.ntp.org
1.za.pool.ntp.org
2.za.pool.ntp.org
3.za.pool.ntp.org

 

[dSil]

SpinyNorman
This is strange! I have the exact same problem. TP-Link tl-MR3420 v2 router - Firmware: 3.13.24 Build 120703. I also have a Cell C Giga 20 account.
I have been using this router and Black speedstick combination since last year and had no problem (I was on the 5gB contract).
in Feb 2013 I upgraded to the Giga 20 and then in March I had this problem. Today I received a statement from Cell c showing the IP address for every transaction and it is exactly like yours. This month my account was R2344 on top of the 20GB and for next month I am already at +- R800 on top of the 20 GB - That was on the second of April!!!! So I hope you limited your account!

My router's settings for NTP are 0.0.0.0 for server 1 and 2 and I never pressed the "Get GMT" button. (auto setup)

Cell C is of the opinion that this is my fault but I don't understand how a ISP can allow a "User" or his "hardware" to continuously do NTP updates every second for 24 hours without blocking or notifying the user.
I agree that virus and configuration is my responsibility but be reasonable!!

Clearly we have a situation here of "3G modem - ISP(network) - router" not working together.

Please PM me. We need to talk strategy!! I am not going to let this go!!!

Thanks
dSil

PS: see my HalloPeter complaint "I am billed for data that I did not use!!!"

 

[WireFree]

... and for next month I am already at +- R800 on top of the 20 GB - That was on the second of April!!!! So I hope you limited your account!

Stop using the router today, and/or get yourself a pre-paid SIM card with a hard cap today.

My router's settings for NTP are 0.0.0.0 for server 1 and 2 and I never pressed the "Get GMT" button. (auto setup)

Cell C is of the opinion that this is my fault but I don't understand how a ISP can allow a "User" or his "hardware" to continuously do NTP updates every second for 24 hours without blocking or notifying the user.
I agree that virus and configuration is my responsibility but be reasonable!!

Clearly we have a situation here of "3G modem - ISP(network) - router" not working together.

Is the ISP really responsible for traffic that you generate?
If the router is at fault and Cell C supplied the router to you, then yes Cell C should take responsibility for the traffic from the router that they supplied.
If you use your own router for ADSL Internet access, is the ISP still liable for the extra traffic from the router?
Who takes responsibility for traffic your computer automatically generates in the background - like Windows updates?

Alternatively, have you contacted the place where you purchased the router. Should the supplier of the router take responsibility when software bugs result in you incurring losses? This is the same as - should Microsoft or any software supplier (incl. iPhone and Android Apps) accept liability when software bugs result in you incurring losses?

Hmmmm. There are a number of 3G Internet or ADSL Internet contract packages on the market that offer a free computer. Can you claim that the ISP is responsible for the data cost related to Windows updates as they supplied you with buggy software that automatically downloads frequent updates from the Internet.

What does the CPA say about this?

 

[Nephew_]

Is the ISP really responsible for traffic that you generate?

+1