If anything comes from this, I'd love to hear about it. As a student in the field, this is the kind of stuff I live for! ;) Pretty awesome to see the chain of events after seeing a post on the [pool] list! Laurent On 12/19/2016 05:12 PM, Justin Paine via NANOG wrote:
replying off list.
____________ Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Mon, Dec 19, 2016 at 1:49 PM, Dan Drown <dan-nanog@drown.org> wrote:
Quoting David <opendak@shaw.ca>:
On 2016-12-19 1:55 PM, Jan Tore Morken wrote:
On Mon, Dec 19, 2016 at 01:32:50PM -0700, David wrote:
I found devices doing lookups for all of these at the same time
{0,0.uk,0.us,asia,europe,north-america,south-america,oceania,africa}.pool.ntp.org and then it proceeds to use everything returned, which explains why everyone is seeing an increase.
Thanks, David. That perfectly matches the list of servers used by older versions of the ios-ntp library[1][2], which would point toward some iPhone app being the source of the traffic.
[1] https://github.com/jbenet/ios-ntp/blob/d5eade6a99041094f12f0c976dd4aaeed37e0... [2] https://github.com/jbenet/ios-ntp/blob/5cc3b6e437a6422dcee9dec9da5183e283eff...
That would make sense - I see a lot of iCloud related lookups from these hosts as well.
Also, app.snapchat.com generally seems to follow just after the NTP pool DNS lookups. I don't have an iPhone to test that though.
Confirmed - starting up the iOS Snapchat app does a lookup to the domains you listed, and then sends NTP to every unique IP. Around 35-60 different IPs.
Anyone have a contact at Snapchat?