[ntp:questions] Re: "Listen on" semantics

Luc Pardon xntp at skopos.be
Thu Sep 21 08:50:24 UTC 2006



Harlan Stenn wrote:
> And I thought syslog() was pretty good about "Last
> message repeated N times".
> 

    In addition to my last post (which I forgot to sign, sorry), it may 
be worth recalling that ntp 4.2.0 (and maybe later) had a bug that make 
it log bogus IP's:

 > Sep  3 04:07:36 gida ntpd[4796]: recvfrom(193.190.230.65) fd=9: 
Connection refused
 > Sep  3 04:08:40 gida ntpd[4796]: recvfrom(192.168.1.3) fd=9: 
Connection refused

   OK, though they are not the IP's that the packets really came from, 
they are not really bogus. Apparently it's the IP that a packet was last 
received from (client or server). The syslog daemon wouldn't be able to 
compress these two lines. Of course, in between two legitimate queries, 
the log lines will all have the same IP. So, instead of only two log 
lines ("connection refused" and "message repeated") the attacker may be 
able to get a few more, but he would still be wasting most of his bandwidth.

   Even so, it does help to make the smoke curtain thicker and it would 
make the sysadmin scratch his head even more - I know, first hand.

    Luc



More information about the questions mailing list