[ntp:questions] Re: "Listen on" semantics
Luc Pardon
xntp at skopos.be
Thu Sep 21 08:50:24 UTC 2006
Harlan Stenn wrote:
> And I thought syslog() was pretty good about "Last
> message repeated N times".
>
In addition to my last post (which I forgot to sign, sorry), it may
be worth recalling that ntp 4.2.0 (and maybe later) had a bug that make
it log bogus IP's:
> Sep 3 04:07:36 gida ntpd[4796]: recvfrom(193.190.230.65) fd=9:
Connection refused
> Sep 3 04:08:40 gida ntpd[4796]: recvfrom(192.168.1.3) fd=9:
Connection refused
OK, though they are not the IP's that the packets really came from,
they are not really bogus. Apparently it's the IP that a packet was last
received from (client or server). The syslog daemon wouldn't be able to
compress these two lines. Of course, in between two legitimate queries,
the log lines will all have the same IP. So, instead of only two log
lines ("connection refused" and "message repeated") the attacker may be
able to get a few more, but he would still be wasting most of his bandwidth.
Even so, it does help to make the smoke curtain thicker and it would
make the sysadmin scratch his head even more - I know, first hand.
Luc
More information about the questions
mailing list