[ntp:questions] Re: abuse or bug ?

David L. Mills mills at udel.edu
Fri Jan 28 18:37:58 UTC 2005


Henk,

Can you confirm the version number of the apparently abusive client? In 
testing here we occasionally have broken test versions, but these are 
never intended to escape the local test environment and should never 
have been put up for public grab.

The client you highlight is not reachable from here for ping or ntpq. If 
it was reachable by ping but not for ntpq and not returning a ICMP 
destination port unreachable, I would suspect a Netgear client.

Dave

Henk Penning wrote:

> In <ctcbau$tkq$1 at nntp.webmaster.com> "David Schwartz" <davids at webmaster.com> writes:
> 
> 
>>> It has sent 438851 packets in the last 129.3 hours to 'ntp.cs.uu.nl'.
>>> The client says the server is unreachable.
>>
>>  How confident are you in this number? It definitely seems strange. NTP 
>> should not poll a non-responding server more than once every 64 seconds.
> 
> 
> I am 100% sure.
> 
> % ntpdc -n -c monl ntp.cs.uu.nl | head -10
> remote address          port local address      count m ver drop   last   first
> ===============================================================================
> 131.211.81.21          59407 131.211.80.155         3 7 2      0      0     150
> 145.92.25.10             123 131.211.80.155    152220 3 4      0      0  335403
> 66.45.74.58              123 131.211.80.155   1603771 3 4      0      0 2148991
> 143.232.188.175          123 131.211.80.155    576590 3 4      0      0  603126
> 83.140.64.206            123 131.211.80.155   1885669 3 4      0      0 1911456
> 129.105.100.183 [<-----] 123 131.211.80.155    527881 3 4      0      0  561934
> 83.140.96.1              123 131.211.80.155    416483 3 4      0      1  513871
> 62.253.219.194           123 131.211.80.155        17 3 3      0      1     151
> 
> 
>>>                                the interesting thing is that
>>> standard ntpd software with a 'normal config', running on
>>> of-the-shelf hardware, can show the undesired behaviour.
> 
> 
>>   That is very strange.
> 
> 
>   Agree ; I noticed this strange behaviour from one of our own machines;
>   a complete standard Dell linux box. However, before I could investigate
>   the machine was rebooted and the prob went away.
> 
>   I watched our ntp server (ntp.cs.uu.nl) for a long time before I found
>   an 'abuser' I could contact (in this case cs.northwestern.edu).
> 
>   The problem is reproducable : stop/start the client and/or the
>   client's ntpd, this ntp-client always behave the same.
> 
>   Server ntp.cs.uu.nl always has between 900-1100 clients ;
>   only 5 to 10 clients poll +/- once per second. The rest is ok.
> 
> 
>>   DS
> 
> 
>   regards.
> 
>   Henk Penning
> 
> --
> ----------------------------------------------------------------   _
> Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/



More information about the questions mailing list