[ntp:questions] Re: Question on abusive clients.
sandler at ujf.cas.cz
Thu Dec 22 12:29:13 UTC 2005
"Michael Deutschmann" <michael at talamasca.ocis.net> wrote in message
news:%DxhqD1THI at khar-pern.talamasca.ocis.net...
> On Thu, 22 Dec 2005, Karel Sandler wrote:
>> My question is, if there is a possibility how to distinguish between a
>> misconfigured client or a grup of more or less standard clients behind a
>> NAT. Originally, I thought, it would be easy. Ideally, the timestamps of
> Perhaps you could look at the source ports. I'm not sure, but I think
> not only listens on port 123, it uses that as it's source port. A
> masquerading system will remap the source port to something else, usually
> quite high, and definitely outside of Unix's traditional "reserved ports"
> range (< 1024).
Thanks for this hint. In both cases I mentioned, the source port was 123. I
will arrange a few sntp clients behind NAT. Then, tcpdump should give more
insight into this topic.
More information about the questions