[ntp:questions] Re: ntp-cup (timeserver) is being attacked (I think)

Richard B. Gilbert rgilbert88 at comcast.net
Tue Apr 26 14:02:13 UTC 2005


David Dalton wrote:

>I have noticed a problem with two stratum-1 timeservers that are
>operated by HP for the public.  These are GPS systems that have been
>operating for years with no problems.  As recently as 6 months ago
>they had between 500 and 1000 clients and were handling this load
>without breaking a sweat (although these machines are old and
>under-powered).
>
>In the past several months, these two machines have started receiving
>a flood of NTP traffic, so heavy that they cannot handle the load. 
>One machine (in Palo Alto) showed 292 THOUSAND NTP packets in a sixty
>second period.  That is a lot of NTP packets.
>
>Looking at the trace capture data, it is not what you might think. 
>There are two "bad actors" heading the list.  Both of these guys have
>been sent the kiss-of-death packet, but they continue hammering away
>even though they aren't getting responses any more.  Here they are:
>
>   Address          Address                       Packets Bytes  
>Packets Bytes
>      A                B          Packets  Bytes  A->B    A->B    A<-B
>   A<-B
>204.123.2.72     206.168.44.21    906      81540  0       0       906 
>   81540
>204.123.2.72     206.168.40.4     338      30420  0       0       338 
>   30420
>
>But this is only a tiny fraction of the problem!  Further down the
>list are clients that are sending about one packet every five seconds
>(10-15 packets in the 60 second capture).  That is pretty frequent for
>NTP clients that I know, but here is the shocker:  there are over 4000
>of these badly-behaved clients!
>
>What are these clients that ask for the time every five seconds and
>never back off?  Where are they coming from?  Why are they hitting
>these two (otherwise unrelated) timeservers and not others?
>
>I am aware of the Netgear/UWisconsin debacle, and this has some
>similarities, but enough differences to make it clear this is a
>different "attack".  I hope it does not turn out to be another problem
>like UWisc..  Right now these two timeservers are useless to the
>world, and I fear that they might have to be shut down permanently.
>
>Are other public timeservers being "attacked" in this distributed
>fashion?  Is this a new threat that NTP administrators must deal with?
>
>David Dalton            dalton_95014 at yahoo.com
>=======================================================
>Our goal in computer science is to build something
>that will last at least until we finish building it.
>  
>
David,

The two ip addresses in question are both assigned to:

OrgName:    FONE NET, LLC 
OrgID:      FNL-1 <http://ws.arin.net/cgi-bin/whois.pl?queryinput=O%20%21%20FNL-1>
Address:    16 North Market
City:       Cortez
StateProv:  CO
PostalCode: 81321
Country:    US

If HP has a problem, they have the standing to complain about it!  A 
letter or a phone call should be enough to get these systems shut down 
or repaired.  At the same time HP might want to contact ARIN to update 
the contact information for the network(s) their servers are on; ARIN 
says it's out of date!

I got this address by looking up the IP address on ARIN Whois 
<http://ws.arin.net/cgi-bin/whois.pl>

ARIN is a useful resource for finding the responsible party or someone 
who can unplug the responsible party if all else fails.  ARIN does not 
list networks outside of the US but will point you to RIPE for European 
addresses, or the appropriate assigning authority for South America, or 
Asia, or wherever.



More information about the questions mailing list