![]() |
![]() |
![]() |
![]() |
||||||||||||||||||||||||||||||||||||
![]() |
![]() |
![]() |
|||||||||||||||||||||||||||||||||||||
![]()
|
|||||||||||||||||||||||||||||||||||||||
![]() |
![]() Main Docs o Features o Hardware o Software o Getting Started o Release Notes o Front Panel Button o Front Panel LEDs o USB Console o Admin CLI o Using HTTPS o SSH Authentication o Client List o Antenna Issues o Graphs o PPS Output o Reimage Live Demo Contact Us Feedback and Bug Reports Follow us on LinkedIn Privacy Policy Shipping and Tax Returns and Warranty |
![]() Understanding the NTP Client ListThe NTP200 and NTP250 will track all NTP clients that send packets to the device. Age-out and LimitsEach client IP is tracked and aged out after 7 days of inactivity. The device can track up to 1 million clients. If that limit is reached, the age-out time will by dynamically reduced in an attempt to clear out old entries. Under extreme cases such as a Denial of Service where the reduced age-out time is still insufficient, new client entries will simply not be created to bound RAM usage. The client tracking data is not persistent, it is cleared on each reboot or if there is an unexpected time step. SortingUse the Download and ExportThe client list is available on the web interface, but also available for download in JSON and CSV formats. To see example data, just visit the Live Demo. Entry DetailsEach client entry records 8 pieces of data:
Using the above data, 2 additional items are computed:
The RX frequency (called 'RX Every') is simply the average amount of time between each received packet over the entire lifetime the Client has been known Each entry can be in one of 4 alert states:
DNS LookupsThe device will perform reverse DNS lookups in the background for all clients that send requests. These lookups are rate limited to at most 1 lookup per second and are refreshed once per day. The DNS lookup functionality can be disabled using the Admin Console if not desired. Lookups are also automatically suspended if the device has more than 50000 clients. Packet FlagsA set of flags is stored for each client in each direction (RX and TX). For each RX and TX packet, flags are computed from the packet content and are OR'ed with the stored flags from every previous packet. Only the OR'ed flags are stored so the flags shown is a union of all packets for that client since client tracking began for that client. The individual flags are currently (this is subject to change in future software releases):
ExamplesThe below example from the Live Demo and some clients have come and gone idle causing Sleep alerts, but otherwise all is well. ![]() The below example from an Internet exposed and NTP Pool registered NTP250 and includes both well behaved clients but also DDoS attack attempts. This appliance receives over 2 million unique clients IPs per day, most of which are only active for a few hours. Sorted by descending RX Count we can see some frequent (<30 second) clients, but also some DDoS attempts using spoofed source IPs. In the latter we can see that the rate limiting algorithm has blocked the DDoS attempts and only responded a few times. ![]() |
|||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() |