[ntp:questions] Re: abuse or bug ?

David L. Mills mills at udel.edu
Wed Feb 23 00:53:20 UTC 2005


Henk,

I take it what you report here is the perpetrator, not the victim.

As reported previously, there was a snapshot that under certain rare 
conditions could transmit continuously at one-second intervals; that 
was fixed pretty quick, but it happened in the 4.2.0a series, not the 
4.2.0-r2 version reported here. What happened was a nonfatal KoD packet 
reset the association, which then sent a single packet and got killed 
again. The fact that the billboards show the results of a KoD packet 
leads me to believe the perp has the same bum snapshot. Note the access 
denied tattletale in the ntpdc stats. Almost all the packets received 
are being denied.

See: http://www.eecis.udel.edu/~mills/database/papers/ptti/ptti04a.pdf

Dave

Henk Penning wrote:
> In <ctm4j3$r1u$1 at june.cs.uu.nl> henkp at cs.uu.nl (Henk Penning) writes:
> 
> 
>> For the record, I got into contact with Ames Research IT security.
>> They were very helpful (the 'abuse' stopped) but not at liberty
>> to tell me /anything/ about the machine or its software.
> 
> 
>   This turned out to be a Gentoo box too ; no specifics given.
> 
>   Here is another example (again a gentoo box) ; it polled
>   ntp.cs.uu.nl every 2 seconds, for the last 264.7 hours.
> 
>   ----------------------------------------------------------------
>          site      count pack/min   last [hrs ago]  first [hrs ago]
> lucca.capo.os3.nl 431799  27.1854              0.0            264.7
>   ----------------------------------------------------------------
> 
>   Hardware:
>     Sun Enterprise 450, 2 CPU's (Ultrasparc II) , 1 used
> 
>   Operating system:
>     Gentoo 2004-3 Linux lucca 2.4.27-sparc #1
>     Fri Oct 29 13:07:36 UTC 2004 sparc64 sun4u  
>     TI UltraSparc II (BlackBird) GNU/Linux
> 
>   ntpd: 
>     net-misc/ntp
>     Latest version available: 4.2.0-r2
>     Latest version installed: 4.2.0-r2
>     Size of downloaded files: 2,480 kB
>     Homepage:    http://www.ntp.org/
>     Description: Network Time Protocol suite/programs
>     License:     as-is
> 
>   ntp.conf:
>     restrict default noquery notrust nomodify
>     restrict 127.0.0.1
>     restrict 145.92.24.0 mask 255.255.255.0
>     fudge 127.127.1.0 stratum 3
>     server 127.127.1.0
>     driftfile /var/lib/ntp/ntp.drift
>     logfile /var/log/ntp.log
>     server ntp.phil.uu.nl
>     server ntp.cs.uu.nl
>     server chime2.surfnet.nl
>     server rolex.ripe.net
> 
> ntpdc -c dm -c loo -c sysi -c syss
>       remote           local      st poll reach  delay   offset    disp
> =======================================================================
>   chime2.surfnet. 145.92.25.10    16   64    0 0.00000  0.000000 0.00000
>   goedel.admin.ph 145.92.25.10    16  128    0 0.00000  0.000000 0.00000
> *2001:610:240:2: ::                1 1024  377 0.00337  0.000099 0.01480
>   LOCAL(0)        127.0.0.1        5   64  377 0.00000  0.000000 0.00092
>   doei.cs.uu.nl   145.92.25.10    16   64    0 0.00000  0.000000 0.00000
> offset:               0.000099 s
> frequency:            54.878 ppm
> poll adjust:          30
> watchdog timer:       1698 s
> system peer:          2001:610:240:2:ffff::228
> system peer mode:     client
> leap indicator:       00
> stratum:              2
> precision:            -19
> root distance:        0.00337 s
> root dispersion:      0.04401 s
> reference ID:         [254.141.161.178]
> reference time:       c5bf494f.45223183  Thu, Feb 17 2005 17:48:15.270
> system flags:         auth monitor ntp kernel stats
> jitter:               0.000946 s
> stability:            0.001 ppm
> broadcastdelay:       0.003998 s
> authdelay:            0.000000 s
> time since restart:     2085163
> time since reset:       2085163
> packets received:       2804823
> packets processed:      2222
> current version:        2800025
> previous version:       4786
> bad version:            0
> access denied:          2790089
> bad length or format:   0
> bad authentication:     0
> rate exceeded:          0
> 
> ntpq -p [ reformatted output ]
> remote      refid      st t when poll reach   delay   offset   jitter
> =====================================================================
>  LOCAL(0)        73.78.73.84
>                         5 l   52   64  377    0.000    0.000    0.002
>  goedel.admin.ph .RSTR.
>                        16 u    -  128    0    0.000    0.000  4000.00
>  doei.cs.uu.nl   .RSTR.
>                        16 u    -   64    0    0.000    0.000  4000.00
>  chime2.surfnet. .RSTR.
>                        16 u    -   64    0    0.000    0.000  4000.00
> *2001:610:240:2: .GPS.
>                         1 u  675 1024  377    3.375    0.099    0.380
> 
> Henk Penning
> --
> ----------------------------------------------------------------   _
> Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/



More information about the questions mailing list