[ntp:questions] Re: abuse or bug ?
David L. Mills
mills at udel.edu
Fri Jan 28 18:37:58 UTC 2005
Henk,
Can you confirm the version number of the apparently abusive client? In
testing here we occasionally have broken test versions, but these are
never intended to escape the local test environment and should never
have been put up for public grab.
The client you highlight is not reachable from here for ping or ntpq. If
it was reachable by ping but not for ntpq and not returning a ICMP
destination port unreachable, I would suspect a Netgear client.
Dave
Henk Penning wrote:
> In <ctcbau$tkq$1 at nntp.webmaster.com> "David Schwartz" <davids at webmaster.com> writes:
>
>
>>> It has sent 438851 packets in the last 129.3 hours to 'ntp.cs.uu.nl'.
>>> The client says the server is unreachable.
>>
>> How confident are you in this number? It definitely seems strange. NTP
>> should not poll a non-responding server more than once every 64 seconds.
>
>
> I am 100% sure.
>
> % ntpdc -n -c monl ntp.cs.uu.nl | head -10
> remote address port local address count m ver drop last first
> ===============================================================================
> 131.211.81.21 59407 131.211.80.155 3 7 2 0 0 150
> 145.92.25.10 123 131.211.80.155 152220 3 4 0 0 335403
> 66.45.74.58 123 131.211.80.155 1603771 3 4 0 0 2148991
> 143.232.188.175 123 131.211.80.155 576590 3 4 0 0 603126
> 83.140.64.206 123 131.211.80.155 1885669 3 4 0 0 1911456
> 129.105.100.183 [<-----] 123 131.211.80.155 527881 3 4 0 0 561934
> 83.140.96.1 123 131.211.80.155 416483 3 4 0 1 513871
> 62.253.219.194 123 131.211.80.155 17 3 3 0 1 151
>
>
>>> the interesting thing is that
>>> standard ntpd software with a 'normal config', running on
>>> of-the-shelf hardware, can show the undesired behaviour.
>
>
>> That is very strange.
>
>
> Agree ; I noticed this strange behaviour from one of our own machines;
> a complete standard Dell linux box. However, before I could investigate
> the machine was rebooted and the prob went away.
>
> I watched our ntp server (ntp.cs.uu.nl) for a long time before I found
> an 'abuser' I could contact (in this case cs.northwestern.edu).
>
> The problem is reproducable : stop/start the client and/or the
> client's ntpd, this ntp-client always behave the same.
>
> Server ntp.cs.uu.nl always has between 900-1100 clients ;
> only 5 to 10 clients poll +/- once per second. The rest is ok.
>
>
>> DS
>
>
> regards.
>
> Henk Penning
>
> --
> ---------------------------------------------------------------- _
> Henk P. Penning, Computer Systems Group R Uithof CGN-A232 _/ \_
> Dept of Computer Science, Utrecht University T +31 30 253 4106 / \_/ \
> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
More information about the questions
mailing list