CenterClick NTP200 and NTP250 Documentation - Client List


Main

Docs
o Features
o Hardware
o Software
o Getting Started
o Release Notes
o Front Panel Button
o Front Panel LEDs
o USB Console
o Admin CLI
o Using HTTPS
o SSH Authentication
o Client List
o Antenna Issues
o Graphs

Live Demo

Help and Contact

Feedback and Bug Reports


Understanding the NTP Client List

The NTP200 and NTP250 will track all NTP clients that send packets to the device.

Ageout and Limits

Each client IP is tracked and aged out after 7 days of inactivity.

The device can track up to 1 million clients. If that limit is reached, the ageout time will by dynamically reduced in an attempt to clear out old entries. Under extreme cases such as a Denial of Service where the reduced ageout time is still insuffient, new client entries will simply not be created to bound RAM usage.

The client tracking data is not persistent, it is cleared on each reboot or if there is an unexpected time step.

Sorting

Use the sort and sort buttons to sort the client list ascending or decending.

Download and Export

The client list is available on the web interface, but also available for download in JSON and CSV formats. To see example data, just visit the Live Demo.

Entry Details

Each client entry records 5 peices of data:

  1. The Client IP
  2. First packet time
  3. Last (most recent) packet time
  4. RX packet count
  5. TX packet count

Using the above data, 2 additional items are computed:

  1. The RX packet frequency
  2. Any alerts

The RX requency (called 'RX Every') is simply the average amount of time between each received packet over the entire lifetime the Client has been known

Each entry can be in one of 4 alert states:

  1. No alerts
  2. sleep Sleep alert: a client hasn't been heard from in more than 2x its expected RX frequency (subject to some bounds)
  3. yellow Yellow alert: a client is sending way more packets than are responded to (likely rate limit) or the rx frequency is very short
  4. red Red alert: a client appears to be blocked due to ACLs or sending only invalid packets

Examples

The below example from the Live Demo and some clients have come and gone idle causing Sleep alerts, but otherwise all is well.

NTP250 Clients

The below example from an Internet exposed and NTP Pool registered NTP250 and includes both well behaved clients but also DDoS attack attempts. This appliance receives over 2 million unique clients IPs per day, most of which are only active for a few hours. Sorted by descending RX Count we can see some frequent (<30 second) clients, but also some DDoS attempts using spoofed source IPs. In the latter we can see that the rate limiting algorithm has blocked the DDoS attempts and only responded a few times.

NTP250 Clients


© 2021 CenterClick LLC