Clock gone wild - NTP and TCPDUMP

[Joe F]

Over the last 3 hours (since desktop running TCPDUMP woke up so may have been longer) I'm seeing massive hits on random NTP servers non-stop.

I thought at first just looking at my switch traffic that I was getting a new update as the packet count was much higher than normal, but when I opened the terminal window where I've had a tcpdump session running, I was shocked to see it was NTP hits.

Has anyone ever seen this behavior before? Going on as I write this:

08:41:42.422063 IP hadb2.smatwebdesign.com.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

08:41:42.435279 IP 192.168.1.78.ntp > 159.203.158.197.ntp: NTPv4, Client, length 48

08:41:42.435742 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:42.512639 IP 69.36.182.57.west-datacenter.net.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

08:41:42.515805 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:42.590433 IP 69.36.182.57.west-datacenter.net.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

08:41:42.595880 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:42.635005 IP 192.168.1.78.ntp > time.richiemcintosh.com.ntp: NTPv4, Client, length 48

08:41:43.435049 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:45.541230 IP 192.168.1.78.ntp > services.quadranet.com.ntp: NTPv4, Client, length 48

08:41:46.546385 IP 192.168.1.78.ntp > horp-bsd01.horp.io.ntp: NTPv4, Client, length 48

08:41:46.576479 IP horp-bsd01.horp.io.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

 

[Twiglett]

Over the last 3 hours (since desktop running TCPDUMP woke up so may have been longer) I'm seeing massive hits on random NTP servers non-stop.

I thought at first just looking at my switch traffic that I was getting a new update as the packet count was much higher than normal, but when I opened the terminal window where I've had a tcpdump session running, I was shocked to see it was NTP hits.

Has anyone ever seen this behavior before? Going on as I write this:

08:41:42.422063 IP hadb2.smatwebdesign.com.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

08:41:42.435279 IP 192.168.1.78.ntp > 159.203.158.197.ntp: NTPv4, Client, length 48

08:41:42.435742 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:42.512639 IP 69.36.182.57.west-datacenter.net.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

08:41:42.515805 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:42.590433 IP 69.36.182.57.west-datacenter.net.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

08:41:42.595880 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:42.635005 IP 192.168.1.78.ntp > time.richiemcintosh.com.ntp: NTPv4, Client, length 48

08:41:43.435049 IP 192.168.1.78.ntp > 69.36.182.57.west-datacenter.net.ntp: NTPv4, Client, length 48

08:41:45.541230 IP 192.168.1.78.ntp > services.quadranet.com.ntp: NTPv4, Client, length 48

08:41:46.546385 IP 192.168.1.78.ntp > horp-bsd01.horp.io.ntp: NTPv4, Client, length 48

08:41:46.576479 IP horp-bsd01.horp.io.ntp > 192.168.1.78.ntp: NTPv4, Server, length 48

Your Model 3 is doing this?

 

[Joe F]

Crap. Wrong forum.

No, Model S, but since they share code, could just as well be.

Will have it moved. Thanks for the heads-up.

 

[RangerRick]

No, Model S, but since they share code, could just as well be.

Not yet, unless you're at a service center, or sniffing cellular traffic. Model 3 can't configure WiFi yet.

 

[Doug_G]

Crap. Wrong forum.

No, Model S, but since they share code, could just as well be.

Will have it moved. Thanks for the heads-up.

Moved.

 

[luckyj]

Perhaps just some side effect of the LTE outage. I'd caution against wild speculation until that's resolved.

 

[Joe F]

Perhaps just some side effect of the LTE outage. I'd caution against wild speculation until that's resolved.

Yeah, I was just about to post that in the LTE thread I just saw.

"Wild speculation" for the problem I'm seeing, which could very well be a H/W issue, is a tad much, IMHO. Asking if anyone else has seen something like this is hardly wild speculation...

 

[cgrubbe]

Just checked logs on my firewall and there has been around 14MB of NTP traffic to/from my S so far today. Quite a bit more than typical.

 

[Joe F]

Just checked logs on my firewall and there has been around 14MB of NTP traffic to/from my S so far today. Quite a bit more than typical.

Thanks. That pretty much confirms it. Probably related to the LTE problem.

I reported it to Tesla locally before I knew about the LTE outage, but so far have heard nothing from them.

I finally decided to brute force the problem and blocked NTP access at the router level a few minutes ago. That at least calmed things down for now. Will open it up after they resolve the LTE snafu.

 

[Joe F]

Just to add a final thought on this problem: This has to be treated by Tesla as a bug. Hopefully this LTE problem is rare, however, if affected cars are on wifi, they are probably hitting on NTP servers 10's of times a second, times the number of affected cars. DDOS for NTP?

It needs to throttle back. There's no need for checking NTP as often as its does on a normal basis. Now with the LTE outage, it's clear something needs to be tweaked. Reporting to Tesla, FWIW.

 

[namlio]

I know nothing about net work traffic. Do you have the new nav yet? Any possibility that it could be related to that download?

 

[Joe F]

I know nothing about net work traffic. Do you have the new nav yet? Any possibility that it could be related to that download?

No, it is not possible.