[ntp:questions] Unauthorized remote server configuration
bobsjunkmail at bellsouth.net
Sat Jul 5 14:58:42 UTC 2008
Subject was Re: Generating keys for ntpdc control
"Per Hedeland" <per at hedeland.org> wrote in message
news:g4noe9$hb2$1 at hedeland.org...
>>There was no change to my config file.
> No, there is no code in ntpd to write to the config file, but of course
> changing the running config is serious enough.
>> I noticed that I was frequently
>>polling a single server in addition to my normal list, which were being
>>polled at their normal rate.
> How did you determine that you were "polling" that server, and not just
> sending replies to requests?
>> I looked at my server list, via ntpdc, and
>>there was about 15 entries for the same IP.
> What exact ntpdc command did you use for this?
> --Per Hedeland
> per at hedeland.org
It's happened again. I disabled auth last night after my previous post, and
let it run overnight with Wireshark capturing I've now got two IP addresses
listed as peers that I did not add. They are listed as "sym_passive". I see
requests from these sites listed as "mode 1" in monlist. Looking at the
Wireshark packet captures, the packet from the remote that seems to make me
start polling the remote contains a flag of "Symmetric Mode Active". I got
a number of packets from this same remote that I began polling, that when
looked at with Wireshark, did things like changing polling frequency. All
had "Symmetric Mode Active" set. My polls all have "Symmetric Mode Passive"
According to the docs, "Since an intruder can impersonate a symmetric active
peer and inject false time values, symmetric mode should always be
cryptographically validated." That's what seems to be the attempt here
because, as you can see below, the unwanted peers' time is offset. This ONLY
happens when I say disable auth in the config. When I say enable auth, or
leave disable auth out, I've never had a problem. Also, this morning, since
the remote was actively sending these packets, I removed disable auth from
the config, and restarted. The packets they sent had no effect. I then
reinserted disable auth, and restarted. With the first packet they sent, I
began polling them for time, and they were inserted as a peer. I've got the
packet captures for what was sent, and my response if anyone thinks this
might be a bug that warrants further investigation.
BTW: I'm running the current Windows port.
client client LOCAL(0)
remote local st poll reach delay offset disp
=xxx.xxx.xxx.xxx 10.33.90.10 2 128 377 0.05254 -0.002906 0.08342
=xxx.xxx.xxx.xxx 10.33.90.10 1 128 377 0.04851 -0.002161 0.08820
=LOCAL(0) 127.0.0.1 5 16 377 0.00000 0.000000 0.01515
=xxx.xxx.xxx.xxx 10.33.90.10 2 128 377 0.05470 0.000449 0.08444
*xxx.xxx.xxx.xxx 10.33.90.10 1 128 377 0.02818 -0.000289 0.06276
-xxx.xxx.xxx.xxx 10.33.90.10 2 128 117 0.06007 -0.053240 0.30006
-xxx.xxx.xxx.xxx 10.33.90.10 3 512 0 0.28026 0.465356 3.99217
More information about the questions