[ntp:hackers] NTP clients using source ports lower than 123

Danny Mayer mayer at ntp.org
Mon Dec 21 02:55:23 UTC 2009


David Malone wrote:
> On Thu, Dec 17, 2009 at 04:21:34PM +0000, Ronan Flood wrote:
>> Is that right?  I'm still running 4.2.2 and I see clients in my monlists
>> using source ports lower than 123.  In fact I had dealings recently with
>> a customer on a Windows client whose queries were coming from port 19;
>> and they still are.  He's behind a firewall which may be doing NAT.
> 
> I see lots of ports < 123 too. Here's a log-log histogram of port
> number against how many packets we see from that port to out NTP
> server over some period of time:
> 
> 	http://www.maths.tcd.ie/~dwmalone/time/porthistogram.png
> 
> [That's not to say all of these are good packets, but...] Internestingly,
> it looks like the ephemeral port range from 512-1024 is a bit less
> popular than the well-known range.
> 
> The blip down to one is 1434, which is the SQL Slammer port.
> 
> 	David.

I assume that you are not filtering any of these out at your firewall? I
also assume that the last number on the ports is 100,000 and not 10,000?
I question any NTP packet coming from a low-numbered port.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the hackers mailing list