[ntp:questions] Re: Question on abusive clients.

Karel Sandler sandler at ujf.cas.cz
Thu Dec 22 12:29:13 UTC 2005


"Michael Deutschmann" <michael at talamasca.ocis.net> wrote in message 
news:%DxhqD1THI at khar-pern.talamasca.ocis.net...
> On Thu, 22 Dec 2005, Karel Sandler wrote:
>> My question is, if there is a possibility how to distinguish between a
>> misconfigured client or a grup of more or less standard clients behind a
>> NAT. Originally, I thought, it would be easy. Ideally, the timestamps of 
>> a
>
> Perhaps you could look at the source ports.  I'm not sure, but I think 
> NTPD
> not only listens on port 123, it uses that as it's source port.  A
> masquerading system will remap the source port to something else, usually
> quite high, and definitely outside of Unix's traditional "reserved ports"
> range (< 1024).
>
Thanks for this hint. In both cases I mentioned, the source port was 123. I 
will arrange a few sntp clients behind NAT. Then, tcpdump should give more 
insight into this topic.

Karel Sandler 





More information about the questions mailing list