[ntp:questions] Unauthorized remote server configuration

Ryan Malayter malayter at gmail.com
Sat Jul 5 15:23:04 UTC 2008

On Sat, Jul 5, 2008 at 9:58 AM, Bob <bobsjunkmail at bellsouth.net> wrote:

> It's happened again. I disabled auth last night after my previous post, and
> let it run overnight with Wireshark capturing I've now got two IP addresses
> listed as peers that I did not add. They are listed as "sym_passive". I see
> requests from these sites listed as "mode 1" in monlist. Looking at the
> Wireshark packet captures, the packet from the remote that seems to make me
> start polling the remote contains a flag of  "Symmetric Mode Active". I got
> a number of packets from this same remote that I began polling, that when
> looked at with Wireshark, did things like changing polling frequency. All
> had "Symmetric Mode Active" set. My polls all have "Symmetric Mode Passive"
> set.

Could they be Windows machines running Windows Time Service W32time
without proper configuration polling your server? By default, w32time
uses symmetric active mode (it assumes it is talking to other W32time
domain machines.)

The reference implementation of ntpd will not reject or ignore those
symmetric active polls, I think, but will not really peer with them
either. It just answers with a timestamp in symmetric mode, but
internally treats the associations as client mode in all other


More information about the questions mailing list