CenterClick NTP200 and NTP250 Documentation - Client List

Understanding the NTP Client List

The NTP200 and NTP250 will track all NTP clients that send packets to the device.

Age-out and Limits

Each client IP is tracked and aged out after 7 days of inactivity.

The device can track up to 500,000 or 1,000,000 clients depending on model. If that limit is reached, the 7 day age-out time will by dynamically reduced in an attempt to clear out old entries.

The client tracking data is saved and restored on a controlled reboot, shutdown, and upgrade. However, if the device has been powered off for many hours, power cycled without a proper shutdown, or an unexpected time step occurs while running, the saved state is discardeded.

Sorting

Use the and buttons to sort the client list ascending or descending.

Download and Export

The client list is available on the web interface, but also available for download in JSON and CSV formats. To see example data, just visit the Live Demos.

Entry Details

Each client entry records 8 pieces of data:

1. The Client IP
2. The Client Reverse DNS Entry (if enabled)
3. First packet time
4. Last (most recent) packet time
5. RX packet count
6. TX packet count
7. RX packet flags
8. TX packet flags

Using the above data, 2 additional items are computed:

1. The RX packet frequency
2. Any alerts

The RX frequency (called 'RX Every') is simply the average amount of time between each received packet over the entire lifetime the Client has been known

Each entry can be in one of 4 alert states:

1. No alerts
2. Sleep alert: a client hasn't been heard from in more than 2x its expected RX frequency (subject to some bounds)
3. Yellow alert: a client is sending way more packets than are responded to (likely rate limit) or the rx frequency is very short
4. Red alert: a client appears to be blocked due to ACLs or sending only invalid packets

DNS Lookups

The device will perform reverse DNS lookups in the background for all clients that send requests. These lookups are rate limited to at most 1 lookup per second and are refreshed at most once per day.

The DNS lookup functionality can be disabled using the Admin Console if not desired. Lookups are also automatically suspended if the device has more than 50000 clients.

Packet Flags

A set of flags is stored for each client in each direction (RX and TX). For each RX and TX packet, flags are computed from the packet content and are OR'ed with the stored flags from every previous packet. Only the OR'ed flags are stored so the flags shown is a union of all packets for that client since client tracking began for that client.

The individual flags are currently (this is subject to change in future software releases):

Examples

The below example from the Live Demos and some clients have come and gone idle causing Sleep alerts, but otherwise all is well.

The below example from an Internet exposed and NTP Pool registered NTP250 and includes both well behaved clients but also DDoS attack attempts. This appliance receives over 2 million unique clients IPs per day, most of which are only active for a few hours. Sorted by descending RX Count we can see some frequent (<30 second) clients, but also some DDoS attempts using spoofed source IPs. In the latter we can see that the rate limiting algorithm has blocked the DDoS attempts and only responded a few times.