[ntp:hackers] query spikes seen in ntp traffic at ren-isac

Hal Murray hmurray at suespammers.org
Sat Mar 25 06:21:52 UTC 2006

> thanks to donald smith of qwest for this:
> 	http://www.ren-isac.net/monitoring/port-costa.cgi?udp_dst_123_packets
> i believe this means the bad guys know that ntp currently makes a good
> reflector, and it's only a matter of time before it's in the
> headlines. 

I'm not sure that graph proves the bad guys are using NTP.  Of course, this 
handwaving doesn't prove they aren't, but here goes.

The base of the graph is 15000 rather than 0, so those gigantic spikes are 
only 3x normal traffic.

The Netgear boxes that attacked UWisc:
  Polls at one second intervals until it receives a response
  from the NTP server, after which it uses a longer poll 
  interval such as one minute, ten minutes, two hours, or
  24 hours, depending upon product model and firmware version.

(Just in case anybody hasn't seen it or wants a refresher:
  Flawed Routers Flood University of Wisconsin Internet Time Server
  http://www.cs.wisc.edu/~plonka/netgear-sntp )

The pool project sees a lot of abusive traffic.  The typical pattern is 1 
query per second from a host.  I think most of that is a brain damaged 
retransmission heuristics coupled with something like a firewall that is 
blocking NTP traffic.  (I don't have any real data to back that up.  It's 
just my memory/summary of various messages on the pool list.)

I think that sort of spiky graph could be generated by temporary outages of 
an NTP server and/or routing to/from it.

If I'm right, the slope of the leading edges of the spikes should correspond 
to the polling interval (assuming they aren't synchronized) and the trailing 
slope should be one second (assuming no network or server losses from the 
flood).  But after the first spike they are all synchronized, so who knows...

It would be interesting to know more about the details of the traffic behind 
that graph, especially the spikes.

The suespammers.org mail server is located in California.  So are all my
other mailboxes.  Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's.  I hate spam.

More information about the hackers mailing list