[ntp:questions] Unauthorized remote server configuration

Bob bobsjunkmail at bellsouth.net
Sat Jul 5 16:22:16 UTC 2008


"Ryan Malayter" <malayter at gmail.com> wrote in message 
news:5d7f07420807050823s60d01f8h89f079be01279788 at mail.gmail.com...
> On Sat, Jul 5, 2008 at 9:58 AM, Bob <bobsjunkmail at bellsouth.net> wrote:
>
>> It's happened again. I disabled auth last night after my previous post, 
>> and
>> let it run overnight with Wireshark capturing I've now got two IP 
>> addresses
>> listed as peers that I did not add. They are listed as "sym_passive". I 
>> see
>> requests from these sites listed as "mode 1" in monlist. Looking at the
>> Wireshark packet captures, the packet from the remote that seems to make 
>> me
>> start polling the remote contains a flag of  "Symmetric Mode Active". I 
>> got
>> a number of packets from this same remote that I began polling, that when
>> looked at with Wireshark, did things like changing polling frequency. All
>> had "Symmetric Mode Active" set. My polls all have "Symmetric Mode 
>> Passive"
>> set.
>
> Could they be Windows machines running Windows Time Service W32time
> without proper configuration polling your server? By default, w32time
> uses symmetric active mode (it assumes it is talking to other W32time
> domain machines.)
>
> The reference implementation of ntpd will not reject or ignore those
> symmetric active polls, I think, but will not really peer with them
> either. It just answers with a timestamp in symmetric mode, but
> internally treats the associations as client mode in all other
> respects.
>
> -- 
> RPM

It does more than just answer. After the first packet - Frame 1 - I answer 
within a couple of hundred milliseconds. I also begin polling the remote for 
time. Frame 72, 73, 75, 76. The remote also shows up on my peer list with 
whatever frequency was requested by the remote. If it's considered normal 
for a remote to request my machine to alter it's peer list with disable auth 
in the config file, I'll just remove that. This seems to conflict with an 
earlier post, but if that's how it's supposed to work, then that's how it 
is.




No.     Time            Source                Destination           Protocol 
Info
      1 04:40:04.483617 206.205.105.226       10.33.90.10           NTP 
NTP symmetric active

Frame 1 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: 
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 206.205.105.226 (206.205.105.226), Dst: 10.33.90.10 
(10.33.90.10)
User Datagram Protocol, Src Port: metagram (99), Dst Port: ntp (123)
Network Time Protocol

No.     Time            Source                Destination           Protocol 
Info
      2 04:40:04.608762 10.33.90.10           206.205.105.226       NTP 
NTP symmetric passive

Frame 2 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226 
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol


Frame 71 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: 
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 206.205.105.226 (206.205.105.226), Dst: 10.33.90.10 
(10.33.90.10)
User Datagram Protocol, Src Port: metagram (99), Dst Port: ntp (123)
Network Time Protocol

No.     Time            Source                Destination           Protocol 
Info
     72 06:02:38.301049 10.33.90.10           206.205.105.226       NTP 
NTP symmetric passive

Frame 72 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226 
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol

No.     Time            Source                Destination           Protocol 
Info
     73 06:03:43.310142 10.33.90.10           206.205.105.226       NTP 
NTP symmetric passive

Frame 73 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226 
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol

No.     Time            Source                Destination           Protocol 
Info
     74 06:03:46.997061 206.205.105.226       10.33.90.10           NTP 
NTP symmetric active

Frame 74 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: 
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 206.205.105.226 (206.205.105.226), Dst: 10.33.90.10 
(10.33.90.10)
User Datagram Protocol, Src Port: metagram (99), Dst Port: ntp (123)
Network Time Protocol

No.     Time            Source                Destination           Protocol 
Info
     75 06:05:51.328047 10.33.90.10           206.205.105.226       NTP 
NTP symmetric passive

Frame 75 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226 
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol

No.     Time            Source                Destination           Protocol 
Info
     76 06:08:00.346095 10.33.90.10           206.205.105.226       NTP 
NTP symmetric passive

Frame 76 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 206.205.105.226 
(206.205.105.226)
User Datagram Protocol, Src Port: ntp (123), Dst Port: metagram (99)
Network Time Protocol






More information about the questions mailing list