[ntp:questions] Unauthorized remote server configuration

Bob bobsjunkmail at bellsouth.net
Sat Jul 5 14:58:42 UTC 2008

Subject was  Re: Generating keys for ntpdc control
"Per Hedeland" <per at hedeland.org> wrote in message 
news:g4noe9$hb2$1 at hedeland.org...
>>There was no change to my config file.
> No, there is no code in ntpd to write to the config file, but of course
> changing the running config is serious enough.
>> I noticed that I was frequently
>>polling a single server in addition to my normal list, which were being
>>polled at their normal rate.
> How did you determine that you were "polling" that server, and not just
> sending replies to requests?
>> I looked at my server list, via ntpdc, and
>>there was about 15 entries for the same IP.
> What exact ntpdc command did you use for this?
> --Per Hedeland
> per at hedeland.org

It's happened again. I disabled auth last night after my previous post, and 
let it run overnight with Wireshark capturing I've now got two IP addresses 
listed as peers that I did not add. They are listed as "sym_passive". I see 
requests from these sites listed as "mode 1" in monlist. Looking at the 
Wireshark packet captures, the packet from the remote that seems to make me 
start polling the remote contains a flag of  "Symmetric Mode Active". I got 
a number of packets from this same remote that I began polling, that when 
looked at with Wireshark, did things like changing polling frequency. All 
had "Symmetric Mode Active" set. My polls all have "Symmetric Mode Passive" 

According to the docs, "Since an intruder can impersonate a symmetric active 
peer and inject false time values, symmetric mode should always be 
cryptographically validated." That's what seems to be the attempt here 
because, as you can see below, the unwanted peers' time is offset. This ONLY 
happens when I say disable auth in the config. When I say enable auth, or 
leave disable auth out, I've never had a problem. Also, this morning, since 
the remote was actively sending these packets, I removed disable auth from 
the config, and restarted. The packets they sent had no effect. I then 
reinserted disable auth, and restarted. With the first packet they sent, I 
began polling them for time, and they were inserted as a peer. I've got the 
packet captures for what was sent, and my response if anyone thinks this 
might be a bug that warrants further investigation.

BTW: I'm running the current Windows port.

ntpdc> listpee
client    xxx.xxx.xxx.xxx
client    client    LOCAL(0)
client    xxx.xxx.xxx.xxx
client    xxx.xxx.xxx.xxx
sym_passive xxx.xxx.xxx.xxx
sym_passive xxx.xxx.xxx.xxx
ntpdc> peer
     remote           local      st poll reach  delay   offset    disp
=xxx.xxx.xxx.xxx      2  128  377 0.05254 -0.002906 0.08342
=xxx.xxx.xxx.xxx      1  128  377 0.04851 -0.002161 0.08820
=LOCAL(0)        5   16  377 0.00000  0.000000 0.01515
=xxx.xxx.xxx.xxx      2  128  377 0.05470  0.000449 0.08444
*xxx.xxx.xxx.xxx      1  128  377 0.02818 -0.000289 0.06276
-xxx.xxx.xxx.xxx      2  128  117 0.06007 -0.053240 0.30006
-xxx.xxx.xxx.xxx      3  512    0 0.28026  0.465356 3.99217

More information about the questions mailing list