[ntp:questions] Unauthorized remote server configuration
Bob
bobsjunkmail at bellsouth.net
Sat Jul 5 16:22:16 UTC 2008
"Ryan Malayter" <malayter at gmail.com> wrote in message
news:5d7f07420807050823s60d01f8h89f079be01279788 at mail.gmail.com...
> On Sat, Jul 5, 2008 at 9:58 AM, Bob <bobsjunkmail at bellsouth.net> wrote:
>
>> It's happened again. I disabled auth last night after my previous post,
>> and
>> let it run overnight with Wireshark capturing I've now got two IP
>> addresses
>> listed as peers that I did not add. They are listed as "sym_passive". I
>> see
>> requests from these sites listed as "mode 1" in monlist. Looking at the
>> Wireshark packet captures, the packet from the remote that seems to make
>> me
>> start polling the remote contains a flag of "Symmetric Mode Active". I
>> got
>> a number of packets from this same remote that I began polling, that when
>> looked at with Wireshark, did things like changing polling frequency. All
>> had "Symmetric Mode Active" set. My polls all have "Symmetric Mode
>> Passive"
>> set.
>
> Could they be Windows machines running Windows Time Service W32time
> without proper configuration polling your server? By default, w32time
> uses symmetric active mode (it assumes it is talking to other W32time
> domain machines.)
>
> The reference implementation of ntpd will not reject or ignore those
> symmetric active polls, I think, but will not really peer with them
> either. It just answers with a timestamp in symmetric mode, but
> internally treats the associations as client mode in all other
> respects.
>
> --
> RPM
It does more than just answer. After the first packet - Frame 1 - I answer
within a couple of hundred milliseconds. I also begin polling the remote for
time. Frame 72, 73, 75, 76. The remote also shows up on my peer list with
whatever frequency was requested by the remote. If it's considered normal
for a remote to request my machine to alter it's peer list with disable auth
in the config file, I'll just remove that. This seems to conflict with an
earlier post, but if that's how it's supposed to work, then that's how it
is.
No. Time Source Destination Protocol
Info
1 04:40:04.483617 206.205.105.226 10.33.90.10 NTP
NTP symmetric active
Frame 1 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst:
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 206.205.105.226 (206.205.105.226), Dst: 10.33.90.10
(10.33.90.10)
User Datagram Protocol, Src Port: metagram (99), Dst Port: ntp (123)
Network Time Protocol
No. Time Source Destination Protocol
Info
2 04:40:04.608762 10.33.90.10 206.205.105.226 NTP
NTP symmetric passive
Frame 2 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst:
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol
Frame 71 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst:
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 206.205.105.226 (206.205.105.226), Dst: 10.33.90.10
(10.33.90.10)
User Datagram Protocol, Src Port: metagram (99), Dst Port: ntp (123)
Network Time Protocol
No. Time Source Destination Protocol
Info
72 06:02:38.301049 10.33.90.10 206.205.105.226 NTP
NTP symmetric passive
Frame 72 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst:
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol
No. Time Source Destination Protocol
Info
73 06:03:43.310142 10.33.90.10 206.205.105.226 NTP
NTP symmetric passive
Frame 73 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst:
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol
No. Time Source Destination Protocol
Info
74 06:03:46.997061 206.205.105.226 10.33.90.10 NTP
NTP symmetric active
Frame 74 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst:
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 206.205.105.226 (206.205.105.226), Dst: 10.33.90.10
(10.33.90.10)
User Datagram Protocol, Src Port: metagram (99), Dst Port: ntp (123)
Network Time Protocol
No. Time Source Destination Protocol
Info
75 06:05:51.328047 10.33.90.10 206.205.105.226 NTP
NTP symmetric passive
Frame 75 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst:
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol
No. Time Source Destination Protocol
Info
76 06:08:00.346095 10.33.90.10 206.205.105.226 NTP
NTP symmetric passive
Frame 76 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst:
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol
More information about the questions
mailing list