[ntp:questions] notrust alternative?

David L. Mills mills at udel.edu
Fri Nov 3 20:21:36 UTC 2006


Dennis,

I set up a likely scenario similar to yours and confirmed the default 
behavior, even with no restrictions, is to resist mobilizing a peer 
association as apparently happened to you. There was a code groom late 
last year, which might have produced a bug, but the groom was thoroughly 
checked specifically to resist apparent attacks like yours. In spite of 
that, the default behavior for many years before that is to resist 
mobilizing anything if authentication is not explicitly turned off.

What makes me even  mor suspicious is all those 16s for the peer poll 
interval. That is not credible, unless spoofed. Apparently, the spoofer 
is trying to heat up your wires and force you to consume memory and 
network bandwidth.

I may have done something evil in allowing a symmetric active peer to 
obtain service while not allowing an association to be mobilized. That 
was done because the original Windows client used symmetric active mode 
when it should have used client mode. If the notrust bit is set, the 
perp will not get any response at all. However, the problem remains that 
those spoofed assocations should never have been mobilized in the first 
place.

If you can recreate the scenario, run ntpq and rv for one or more of 
those voodoo associations, then send the results. I'd like to see the 
peer poll interval and the modes.

Dave

Dennis Hilberg Jr wrote:
> No, I do not think I've been hacked, but I guess it's possible.  The server is behind a router, with only the ssh, smtp, and ntp 
> ports open.
> 
> My system is Mandriva 2007 Free on x86.  No xwindows, command line only.  'ntpq -c version' returns:
> 
> saturn:# ntpq -c version
> ntpq 4.2.0 at 1.1161-r Sat Sep 30 08:43:12 MDT 2006 (1)
> 
> 
> 'ntpcd -ncreslist' returns:
> 
> saturn:# ntpdc -ncreslist
>    address          mask            count        flags
> =====================================================================
> 0.0.0.0         0.0.0.0             93063  noquery, nomodify, nopeer, notrap, kod
> 127.0.0.1       255.255.255.255      1675  none
> 127.0.0.1       255.255.255.255         0  ntpport, interface, ignore
> 192.168.1.0     255.255.255.0          19  nomodify, nopeer, notrap
> 192.168.1.102   255.255.255.255         0  ntpport, interface, ignore
> ::              ::                      0  none
> 
> My ntp.conf:
> 
> 
> # Default restriction.
> 
> restrict default kod nomodify notrap nopeer noquery
> 
> # Allow free access to localhost.
> 
> restrict 127.0.0.1
> 
> # Allow the local network access with the following modified restrictions.
> 
> restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
> 
> # Synchronization servers.  Include at least three, but no more than five.
> 
> server bigben.cac.washington.edu   iburst       # University of Washington, Seattle, WA
> server montpelier.ilan.caltech.edu iburst       # California Institute of Technology, Pasadena, CA
> server tick.ucla.edu               iburst       # UCLA, Los Angeles, CA
> server clock.xmission.com          iburst       # XMission Internet, Salt Lake City, Utah
> server clepsydra.dec.com           iburst       # HP Western Research Laboratory, Palo Alto, CA
> 
> # Drift file location
> 
> driftfile /etc/ntp/drift
> 
> # Location of the log file
> 
> logfile /var/log/ntp/ntp.log
> 
> # NTP monitoring parameters
> 
> statsdir /var/log/ntp/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> 
> # Authentication parameters
> 
> #keys           /etc/ntp/keys
> #trustedkey     2 3 4
> #controlkey     3       # To access the ntpq utility
> #requestkey     2       # To access the ntpdc utility
> 
> Do I have my access restrictions set up properly?  Am I missing anything?
> 
> Dennis
> 
> 
> "Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message news:l6ydnTpageZdF9bYnZ2dnUVZ_qCdnZ2d at comcast.com...
> | Dennis Hilberg Jr wrote:
> |
> | > Here is the result of 'ntpq -p' on my system:
> | >
> | > saturn:# ntpq -p
> | >      remote           refid      st t when poll reach   delay   offset  jitter
> | > ==============================================================================
> | > -bigben.cac.wash .USNO.           1 u   28   64  377   18.567    2.213   1.438
> | > +montpelier.ilan .USNO.           1 u   31   64  377   48.057    0.342   2.201
> | > +tick.ucla.edu   .PSC.            1 u   27   64  377   46.799   -0.404   2.485
> | > +clock.xmission. .GPS.            1 u   26   64  377   52.507    0.491   1.587
> | > *clepsydra.dec.c .GPS.            1 u   24   64  377   32.168    0.275   2.075
> | >  bdsl.66.13.214. 141.156.108.23   2 u    -   16  377    0.001  5384.58 124.872
> | > -71.216.67.53    63.119.46.3      2 u   16   16  373  131.452   21.951   6.855
> | >  host98.liberto. 216.52.237.153   3 u   15   16  377  100.925  -5344.6  40.603
> | >  cpe-65-186-213- 71.237.179.90    3 u   30   16  377   78.722  -386.14   5.327
> | >  i-195-137-59-20 192.245.169.15   2 u   15   16  277   43.804  7099.33 236.967
> | >  46.Red-80-38-9. 208.99.207.109   3 u   13   16  377  287.516  -3020.5  60.778
> | >  72.15.196.228   216.52.237.153   3 u   13   16  377    0.001  30573.1 142.754
> | >  213-84-173-46.a 192.245.169.15   2 u   10   16  377  1468.85  -11042.  11.560
> | >  70.150.125.170  71.237.179.90    3 u    9   16  377   85.168  -40.077   6.857
> | > -adsl-68-255-97- 64.81.199.165    2 u    8   16  377  106.531  -12.162   2.902
> | >  65.5.127.231    71.237.179.90    3 u    8   16  377   88.479  -59.875   9.769
> | >  mail.thamesself 71.237.179.90    3 u    7   16  377  172.238  -23.748  13.801
> | >  217-116-10-20.r 66.92.77.98      3 u    8   16  377  731.425  -1245.1  42.582
> | >  70.150.30.72    71.237.179.90    3 u    6   16  377  101.407  968.326   4.586
> | > -adsl-158-64-228 141.156.108.23   2 u   98   16  374  109.658    3.006   2.807
> | >  S01060011d8dcef 216.165.129.244  2 u    5   16  277   52.252  2650.47  33.139
> | >  neu67-4-88-160- 209.132.176.4    2 u    5   16  377   71.208  29201.2 102.426
> | >  host204-64-dyna 192.245.169.15   2 u  356   16  300   49.252  4497.48  43.638
> | >  227-33.netwurx. 71.237.179.90    3 u    4   16  357  123.479  -59.126   9.594
> | >  226.Red-83-41-1 81.169.139.140   3 u    2   16  177  284.796  539.697  34.158
> | >  adsl-212-42-174 209.132.176.4    2 u    9   16  327  204.512   95.673  62.616
> | >  cpe-24-24-123-2 80.127.4.179     2 u    2   16  377    0.001  11796.3 115.867
> | > -70-89-23-210-ph 216.52.237.153   3 u   11   16  176   83.227  -18.373   1.094
> | >  65.5.122.162    72.3.133.147     3 u  261  256    4   99.722    1.725   0.001
> | > #194.150.135.94  81.169.152.214   3 u   10   16   76  293.509  -14.045   7.274
> | >  host114-244-dyn 192.245.169.15   2 u  212   16   30    0.001  4720.98 126.715
> | >  bdsl.66.13.227. 63.119.46.3      2 u   72  256    7  117.779   -4.601   4.494
> | > -mail.getmedium. 63.119.46.3      2 u   16   16   16  125.852   16.342   2.413
> | >  host119-247-dyn 192.245.169.15   2 u    4   16    5    0.001  5061.93 236.150
> | >  64.184.118.233  216.106.191.180  3 u  117   16    2    0.001  -100239   0.001
> | >  host134.209.113 63.119.46.3      2 u   34  128    3    0.001  -603.10 859.203
> | > -157.199.7.146   198.60.22.240    2 u    1   16    3   84.881  -21.815   1.294
> | >  d54C3CA72.acces 192.245.169.15   2 u    5   16    3  169.735  -375.17   1.819
> | >  ACaen-251-1-63- 81.169.152.214   3 u    4   16    2  441.105   68.311  24.742
> | > #ip-207-145-35-7 65.19.139.44     3 u    4   16    3  144.620   22.869   6.186
> | >  mulder.f5.com   216.52.237.153   3 u   66   16    2    5.431  -14.845   0.001
> | >  65.107.178.178. 141.156.108.23   2 u   16   16    2   98.225  -3365.3   2.504
> | >  wsip-68-14-240- 63.119.46.3      2 u   15   16    1   46.460  -24.621   1.612
> | >  c-67-166-119-12 71.237.179.90    3 u   10   16    1    0.001  1149.46   4.429
> | >  cpe-24-209-208- 66.92.68.11      2 u    9   16    1    0.001  -777.07  22.086
> | >  foreman.heartla 75.13.24.211     2 u    8   16    1  172.065  -68.752   1.445
> | >  cpe-65-27-168-2 141.156.108.23   2 u   22   64    1   87.519  124.139   0.001
> | >
> | > The first five servers listed above are the same ones listed in my ntp.conf as synchronization sources.  What are the rest of 
> them?
> | >
> | > 'ntpdc -c monlist' returns 384 entries.  Is that typical?
> | >
> |
> | If you are operating a server, 384 clients does not seem unreasonable.
> | For clients to show up on the ntpq banner like that, they would almost
> | have to be "peers".  From the looks of things, you would not want most
> | of them as peers; they seem to be clueless about what time it is
> | (assuming that your server is correct).  Actually, about half of them
> | could not even be peers because they are at stratum 3 and your server
> | would appear to be at stratum 2.
> |
> | I would study the "restrict" statement and add restrict statements that
> | would prevent anyone from peering with my server (at least any of THAT
> | crowd)!!!  I might even scrub my hands with disinfectant when I
> | finished!!!!!!   YUCK!!!!!!!!!!!!!!!
> |
> | FWIW, I tried a couple of those addresses with "ping", "ntpq", and
> | "ntpdate" and got no response.  I tried one with nslookup and got no
> | translation.  I'd say it's a pretty "ripe" collection!!
> |
> | What platform are you running on?  Which O/S?  What version?  Do you
> | have a firewall?  Is it possible that your system has been "hacked"?
> | 
> 
> 




More information about the questions mailing list