Wait.. they are saying the app itself is making NTP requests?<p>> <i>Confirmed - starting up the iOS Snapchat app does a lookup to the domains you listed, and then sends NTP to every unique IP. Around 35-60 different IPs.</i><p>Hmm. Is that a fraud prevention thing or something? No way on earth a user app should be getting its own time
Why on earth would you do that?<p>If you want to prevent users from altering their time use your server and do a time compare with your server.<p>NTP can be easily intercepted and altered so it would make a lot more sense to do this via a encrypted certificate pinned communication path increasing my work load drastically to alter the time.<p>I snapchat going to pay for the DDOS they created?
For whatever reason, ntppool.org is blocked at my work.<p>And of course, you don't get the page that states why when the website is served via https. Not that I need to see the page to know it was either blocked for "hacking" or "entertainment", and I'm guessing it's not entertainment.<p>Edit: This probably explains why our clocks have been off by 45 minutes since Monday. I guess it will be entertaining to see how long it takes for IT to figure this one out.
According to the forum, the pattern matched this third-party library:<p><a href="https://github.com/jbenet/ios-ntp" rel="nofollow">https://github.com/jbenet/ios-ntp</a><p>Specifically, all the servers(!) from here are contacted: <a href="https://github.com/jbenet/ios-ntp/blob/master/ios-ntp-lib/NetworkClock.m#L121" rel="nofollow">https://github.com/jbenet/ios-ntp/blob/master/ios-ntp-lib/Ne...</a><p>Note that the library author wrote:<p>"ios-ntp is often (mostly?) used to make sure someone hasn't fiddled with the system clock. The complications involved in using multiple servers and averaging time offsets is overkill for this purpose. The following skeleton code is all that is needed to check the time."<p>And that "skeleton" contacts just "time.apple.com"<p>But the library really has the default possibility of contacting a lot of the ntp.org servers from a big list ("createAssociations" with no parameters!) and it's bad.<p>As we know, the developers like to just "copy-paste" whatever is where. Or use any defaults. "Hey it works."
FWIW my teenage daughter has been complaining about this latest Snapchat update for iOS the past couple days. It constantly crashes and causes the phone to reboot itself. Looking at Twitter, there's tons and tons of people reporting the same issue, so it seems pretty widespread. Wonder if it's related to this NTP issue.
It is interesting to read through the whole thread in a chronological order starting from the first message: <a href="http://mailman.nanog.org/pipermail/nanog/2016-December/089525.html" rel="nofollow">http://mailman.nanog.org/pipermail/nanog/2016-December/08952...</a><p>It took 4 days, to zero on the root cause. As is usual in a complex scenario like this there are a few false positives, some suspects abusing the protocol and alas final redemption. Amazing work by a dedicated group of technical folks in coordinating (just via emails, I suppose) and tracing the root cause.
This happens often enough that Wikipedia has a page devoted to it: <a href="https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse" rel="nofollow">https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse</a><p>The first one I had heard of was Netgear vs. UW-Madison.
I wondered why I was seeing so much packet loss on my IP:
<a href="http://mrtg.vi-di.fr/krootservers.ping.html" rel="nofollow">http://mrtg.vi-di.fr/krootservers.ping.html</a><p>Guess I know why now..
I do some work for the Network Time Foundation and we were not contacted by snapchat as far as I know. Anyone have a contact there, they probably need our help.