[ntp:hackers] Profiling abusive clients

Greg Dowd GDowd at symmetricom.com
Wed Dec 19 23:03:22 UTC 2007


Are those connections still there and are there step discontinuities?
I'm just wondering how you differentiate a number of compliant clients
behind a gateway from a single misbehaving client.

sorry for the lag.  I just found this in my spam folder.  Don't know why
it choked on this one and none of the others. 


Greg Dowd
gdowd at symmetricom dot com (antispam format)
Symmetricom, Inc.
www.symmetricom.com
"Everything should be made as simple as possible, but no simpler" Albert
Einstein

-----Original Message-----
From: hackers-bounces+gdowd=symmetricom.com at lists.ntp.org
[mailto:hackers-bounces+gdowd=symmetricom.com at lists.ntp.org] On Behalf
Of David L. Mills
Sent: Sunday, November 18, 2007 9:33 PM
To: hackers at ntp.org
Subject: [ntp:hackers] Profiling abusive clients

Guys,

A closer examination of the rackety.udel.edu abusers reveals an
interesting profile. Currently, there is one abuser honking continuously
at three seconds, another at five seconds and a third at eight seconds. 
This is the same kind of abuse noted in the PTTI paper about NIST and
USNO abuse. However, there are several cases where the perp sends two
messages back-to-back at less than one second intervals, but does this
only infrequently. The prevalence of these two classes of abusers
suggests there are at least two different implemenations that behave in
the manner observed.

The latest code will return KoDs in either of these cases. The
interesting thing is that, if the KoDs are simply ignored, the abuser
will continue to have success, even if the majority of packets are
dropped or result in KoDs. If the client code does not understand and
discards the KoDs, the client time will not be adjusted, even if those
packets that do get through are believed. The bottom line is that the
naive user will probably not even notice the KoDs. Pehaps the KoD design
should be more violent and purposely destabilize the client clock.

Dave
_______________________________________________
hackers mailing list
hackers at lists.ntp.org
https://lists.ntp.org/mailman/listinfo/hackers


More information about the hackers mailing list