[time] Other traffic to strange ports (was: Re: ICMP pings and ntp)
Matt Nordhoff
mnordhoff
Sat Dec 5 12:57:06 UTC 2009
Roelant wrote:
> Somewhat related to this perhaps, I've been seeing quite some "port
> 37"-traffic. TCP port 37 is used by the (outdated) time-protocol, wich
> NIST for instance still supports on all but their primary server
> <http://tf.nist.gov/service/its.htm>. My server doesn't support it
> either, so is dropped by the firewall.
>
> Below's a small snippet of some of the dropped traffic, and though it's
> not a whole lot, the fact that single IP's keep trying at intervals when
> there's no answer, seems to suggest that it's perhaps some legitimate
> service behind the request in stead of random scripts sniffing my
> server. And if that's true, a relation to being a public NTP (and in the
> pool seems obvious).
>
> Any of you guys see the same?
>
> Regards,
> Roelant.
>
> PS: FYI, 87.233.14.148 = ntp.roelant.net <http://ntp.roelant.net> in the
> pool <http://www.pool.ntp.org/scores/87.233.14.148>.
I've long since stopped my firewall from logging traffic to ports 13
(DAYTIME) and 524 (NetWare Core Protocol, which has several functions,
including time), and TCP traffic to port 123 (now that's just dumb).
I also see UDP traffic to port 500, but I haven't figured out what it
is. It's registered for ISAKMP, but Wikipedia's article doesn't mention
time distribution, and I haven't read the RFC.
And this isn't even counting the proper NTP traffic that's from bogon IP
addresses!
[snip]
--
Matt Nordhoff
More information about the pool
mailing list