CenterClick NTP200 and NTP250 Documentation - Client List
o Getting Started
o Release Notes
o Front Panel Button
o Front Panel LEDs
o USB Console
o Admin CLI
o Using HTTPS
o SSH Authentication
o Client List
o Antenna Issues
o PPS Output
Feedback and Bug Reports
Shipping and Tax
Returns and Warranty
Understanding the NTP Client List
The NTP200 and NTP250 will track all NTP clients that send packets to the device.
Age-out and Limits
Each client IP is tracked and aged out after 7 days of inactivity.
The device can track up to 1 million clients. If that limit is reached, the age-out time will by dynamically reduced in an attempt to clear out old entries. Under extreme cases such as a Denial of Service where the reduced age-out time is still insufficient, new client entries will simply not be created to bound RAM usage.
The client tracking data is not persistent, it is cleared on each reboot or if there is an unexpected time step.
Use the and buttons to sort the client list ascending or descending.
Download and Export
The client list is available on the web interface, but also available for download in JSON and CSV formats. To see example data, just visit the Live Demo.
Each client entry records 8 pieces of data:
Using the above data, 2 additional items are computed:
The RX frequency (called 'RX Every') is simply the average amount of time between each received packet over the entire lifetime the Client has been known
Each entry can be in one of 4 alert states:
The device will perform reverse DNS lookups in the background for all clients that send requests. These lookups are rate limited to at most 1 lookup per second and are refreshed once per day.
The DNS lookup functionality can be disabled using the Admin Console if not desired. Lookups are also automatically suspended if the device has more than 50000 clients.
A set of flags is stored for each client in each direction (RX and TX). For each RX and TX packet, flags are computed from the packet content and are OR'ed with the stored flags from every previous packet. Only the OR'ed flags are stored so the flags shown is a union of all packets for that client since client tracking began for that client.
The individual flags are currently (this is subject to change in future software releases):
The below example from the Live Demo and some clients have come and gone idle causing Sleep alerts, but otherwise all is well.
The below example from an Internet exposed and NTP Pool registered NTP250 and includes both well behaved clients but also DDoS attack attempts. This appliance receives over 2 million unique clients IPs per day, most of which are only active for a few hours. Sorted by descending RX Count we can see some frequent (<30 second) clients, but also some DDoS attempts using spoofed source IPs. In the latter we can see that the rate limiting algorithm has blocked the DDoS attempts and only responded a few times.