[ntp:questions] Re: Question on abusive clients.

Danny Mayer mayer at ntp.isc.org
Fri Dec 23 03:16:43 UTC 2005


Michael Deutschmann wrote:
> On Thu, 22 Dec 2005, Karel Sandler wrote:
> 
>>My question is, if there is a possibility how to distinguish between a
>>misconfigured client or a grup of more or less standard clients behind a
>>NAT. Originally, I thought, it would be easy. Ideally, the timestamps of a
> 
> 
> Perhaps you could look at the source ports.  I'm not sure, but I think NTPD
> not only listens on port 123, it uses that as it's source port.  A
> masquerading system will remap the source port to something else, usually
> quite high, and definitely outside of Unix's traditional "reserved ports"
> range (< 1024).
> 

ntpdate uses a random port by default. However standard ntp servers only
send and receive NTP packets on port 123.

Danny



More information about the questions mailing list