[ntp:hackers] NTP clients using source ports lower than 123
Danny Mayer
mayer at ntp.org
Mon Dec 21 02:55:23 UTC 2009
David Malone wrote:
> On Thu, Dec 17, 2009 at 04:21:34PM +0000, Ronan Flood wrote:
>> Is that right? I'm still running 4.2.2 and I see clients in my monlists
>> using source ports lower than 123. In fact I had dealings recently with
>> a customer on a Windows client whose queries were coming from port 19;
>> and they still are. He's behind a firewall which may be doing NAT.
>
> I see lots of ports < 123 too. Here's a log-log histogram of port
> number against how many packets we see from that port to out NTP
> server over some period of time:
>
> http://www.maths.tcd.ie/~dwmalone/time/porthistogram.png
>
> [That's not to say all of these are good packets, but...] Internestingly,
> it looks like the ephemeral port range from 512-1024 is a bit less
> popular than the well-known range.
>
> The blip down to one is 1434, which is the SQL Slammer port.
>
> David.
I assume that you are not filtering any of these out at your firewall? I
also assume that the last number on the ports is 100,000 and not 10,000?
I question any NTP packet coming from a low-numbered port.
Danny
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the hackers
mailing list