[ntp:questions] notrust alternative?

David L. Mills mills at udel.edu
Fri Nov 3 19:43:23 UTC 2006


Dennis,

Note that most of the apparent intruders have poll interval 16 s, which 
is not very likely and suggests you may be victim of a clogging attack. 
If authentication is turned off (explicit disable auth) you are victim 
of some spoofer. The ntpq lines are the result of a mobilized symmetric 
passive association, as the t field is u (unicast). If that field is b 
or m, you would be victim of broadcast or multicast.

If you have not explicitly turned off authentication, the default case 
is to refuse to mobilize anything unless authenticated. If this is the 
case, you might have exposed a bug. In any case, a restrict default 
nopeer should outsmart the bugger no matter what.

Dave

Richard B. Gilbert wrote:
> Dennis Hilberg Jr wrote:
> 
>> Here is the result of 'ntpq -p' on my system:
>>
>> saturn:# ntpq -p
>>      remote           refid      st t when poll reach   delay   
>> offset  jitter
>> ============================================================================== 
>>
>> -bigben.cac.wash .USNO.           1 u   28   64  377   18.567    
>> 2.213   1.438
>> +montpelier.ilan .USNO.           1 u   31   64  377   48.057    
>> 0.342   2.201
>> +tick.ucla.edu   .PSC.            1 u   27   64  377   46.799   
>> -0.404   2.485
>> +clock.xmission. .GPS.            1 u   26   64  377   52.507    
>> 0.491   1.587
>> *clepsydra.dec.c .GPS.            1 u   24   64  377   32.168    
>> 0.275   2.075
>>  bdsl.66.13.214. 141.156.108.23   2 u    -   16  377    0.001  5384.58 
>> 124.872
>> -71.216.67.53    63.119.46.3      2 u   16   16  373  131.452   
>> 21.951   6.855
>>  host98.liberto. 216.52.237.153   3 u   15   16  377  100.925  
>> -5344.6  40.603
>>  cpe-65-186-213- 71.237.179.90    3 u   30   16  377   78.722  
>> -386.14   5.327
>>  i-195-137-59-20 192.245.169.15   2 u   15   16  277   43.804  7099.33 
>> 236.967
>>  46.Red-80-38-9. 208.99.207.109   3 u   13   16  377  287.516  
>> -3020.5  60.778
>>  72.15.196.228   216.52.237.153   3 u   13   16  377    0.001  30573.1 
>> 142.754
>>  213-84-173-46.a 192.245.169.15   2 u   10   16  377  1468.85  
>> -11042.  11.560
>>  70.150.125.170  71.237.179.90    3 u    9   16  377   85.168  
>> -40.077   6.857
>> -adsl-68-255-97- 64.81.199.165    2 u    8   16  377  106.531  
>> -12.162   2.902
>>  65.5.127.231    71.237.179.90    3 u    8   16  377   88.479  
>> -59.875   9.769
>>  mail.thamesself 71.237.179.90    3 u    7   16  377  172.238  
>> -23.748  13.801
>>  217-116-10-20.r 66.92.77.98      3 u    8   16  377  731.425  
>> -1245.1  42.582
>>  70.150.30.72    71.237.179.90    3 u    6   16  377  101.407  
>> 968.326   4.586
>> -adsl-158-64-228 141.156.108.23   2 u   98   16  374  109.658    
>> 3.006   2.807
>>  S01060011d8dcef 216.165.129.244  2 u    5   16  277   52.252  
>> 2650.47  33.139
>>  neu67-4-88-160- 209.132.176.4    2 u    5   16  377   71.208  29201.2 
>> 102.426
>>  host204-64-dyna 192.245.169.15   2 u  356   16  300   49.252  
>> 4497.48  43.638
>>  227-33.netwurx. 71.237.179.90    3 u    4   16  357  123.479  
>> -59.126   9.594
>>  226.Red-83-41-1 81.169.139.140   3 u    2   16  177  284.796  
>> 539.697  34.158
>>  adsl-212-42-174 209.132.176.4    2 u    9   16  327  204.512   
>> 95.673  62.616
>>  cpe-24-24-123-2 80.127.4.179     2 u    2   16  377    0.001  11796.3 
>> 115.867
>> -70-89-23-210-ph 216.52.237.153   3 u   11   16  176   83.227  
>> -18.373   1.094
>>  65.5.122.162    72.3.133.147     3 u  261  256    4   99.722    
>> 1.725   0.001
>> #194.150.135.94  81.169.152.214   3 u   10   16   76  293.509  
>> -14.045   7.274
>>  host114-244-dyn 192.245.169.15   2 u  212   16   30    0.001  4720.98 
>> 126.715
>>  bdsl.66.13.227. 63.119.46.3      2 u   72  256    7  117.779   
>> -4.601   4.494
>> -mail.getmedium. 63.119.46.3      2 u   16   16   16  125.852   
>> 16.342   2.413
>>  host119-247-dyn 192.245.169.15   2 u    4   16    5    0.001  5061.93 
>> 236.150
>>  64.184.118.233  216.106.191.180  3 u  117   16    2    0.001  
>> -100239   0.001
>>  host134.209.113 63.119.46.3      2 u   34  128    3    0.001  -603.10 
>> 859.203
>> -157.199.7.146   198.60.22.240    2 u    1   16    3   84.881  
>> -21.815   1.294
>>  d54C3CA72.acces 192.245.169.15   2 u    5   16    3  169.735  
>> -375.17   1.819
>>  ACaen-251-1-63- 81.169.152.214   3 u    4   16    2  441.105   
>> 68.311  24.742
>> #ip-207-145-35-7 65.19.139.44     3 u    4   16    3  144.620   
>> 22.869   6.186
>>  mulder.f5.com   216.52.237.153   3 u   66   16    2    5.431  
>> -14.845   0.001
>>  65.107.178.178. 141.156.108.23   2 u   16   16    2   98.225  
>> -3365.3   2.504
>>  wsip-68-14-240- 63.119.46.3      2 u   15   16    1   46.460  
>> -24.621   1.612
>>  c-67-166-119-12 71.237.179.90    3 u   10   16    1    0.001  
>> 1149.46   4.429
>>  cpe-24-209-208- 66.92.68.11      2 u    9   16    1    0.001  
>> -777.07  22.086
>>  foreman.heartla 75.13.24.211     2 u    8   16    1  172.065  
>> -68.752   1.445
>>  cpe-65-27-168-2 141.156.108.23   2 u   22   64    1   87.519  
>> 124.139   0.001
>>
>> The first five servers listed above are the same ones listed in my 
>> ntp.conf as synchronization sources.  What are the rest of them?
>>
>> 'ntpdc -c monlist' returns 384 entries.  Is that typical?
>>
> 
> If you are operating a server, 384 clients does not seem unreasonable. 
> For clients to show up on the ntpq banner like that, they would almost 
> have to be "peers".  From the looks of things, you would not want most 
> of them as peers; they seem to be clueless about what time it is 
> (assuming that your server is correct).  Actually, about half of them 
> could not even be peers because they are at stratum 3 and your server 
> would appear to be at stratum 2.
> 
> I would study the "restrict" statement and add restrict statements that 
> would prevent anyone from peering with my server (at least any of THAT 
> crowd)!!!  I might even scrub my hands with disinfectant when I 
> finished!!!!!!   YUCK!!!!!!!!!!!!!!!
> 
> FWIW, I tried a couple of those addresses with "ping", "ntpq", and 
> "ntpdate" and got no response.  I tried one with nslookup and got no 
> translation.  I'd say it's a pretty "ripe" collection!!
> 
> What platform are you running on?  Which O/S?  What version?  Do you 
> have a firewall?  Is it possible that your system has been "hacked"?
> 




More information about the questions mailing list