[ntp:questions] Kiss-O'-Death

Bob bobsjunkmail at bellsouth.net
Thu Jun 26 11:46:20 UTC 2008


"Martin Burnicki" <martin.burnicki at meinberg.de> wrote in message 
news:i5acj5-96m.ln1 at gateway.py.meinberg.de...
>
> I don't know exactly how often or how long this happens. However, please
> take into account that clients may send requests at 2 second intervals at
> startup, if the iburst keyword has been used.
>
> Also, there may be several clients behind a NAT router, in which case all
> the requests from those clients seem to be coming from a single host with 
> a
> given IP where in fact there are several hosts which are using individual
> private IPs behind the router.
>
> Depending on how many clients are currently up and running behind the 
> router
> you may see a more or less high number of requests which seem to come from
> a single host.
>
> Did you also check the source port number of the request packets? The
> numbers should vary if the requests have been sent from several clients
> behind a router. They may or may not vary if they come from a single
> client. I think the conclusion that there is only one "bad boy" can only 
> be
> made if the source port of the request is the same.
>
>
> Martin
> -- 
> Martin Burnicki
>
> Meinberg Funkuhren
> Bad Pyrmont
> Germany

I'll get a bunch of requests with the same port number, then a bunch of 
packets with a different (the port for the bunch is the same) port. Also, 
the time data in the request is random and corrupt.. example below. I've 
contacted the source by email with no response yet. The source - a 
University - lists on their web page what their own machines should be using 
for NTP - their own server.


No. Time Source Destination Protocol Info
3 3.908464 128.194.147.44 10.33.90.10 NTP NTP client
Frame 3 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: 
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 128.194.147.44 (128.194.147.44), Dst: 10.33.90.10 
(10.33.90.10)
User Datagram Protocol, Src Port: 42536 (42536), Dst Port: ntp (123)
Network Time Protocol
Flags: 0x23
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .011 = Mode: client (3)
Peer Clock Stratum: unspecified or unavailable (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference Clock ID: NULL
Reference Clock Update Time: NULL
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: Nov 27, 2018 09:08:52.1230 UTC
No. Time Source Destination Protocol Info
4 3.908613 10.33.90.10 128.194.147.44 NTP NTP server
Frame 4 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 128.194.147.44 
(128.194.147.44)
User Datagram Protocol, Src Port: ntp (123), Dst Port: 42536 (42536)
Network Time Protocol
Flags: 0x24
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (2)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 0.000001 sec
Root Delay: 0.0282 sec
Root Dispersion: 0.0187 sec
Reference Clock ID: 68.216.79.113
Reference Clock Update Time: Jun 26, 2008 02:30:50.0576 UTC
Originate Time Stamp: Nov 27, 2018 09:08:52.1230 UTC
Receive Time Stamp: Jun 26, 2008 02:37:43.7211 UTC
Transmit Time Stamp: Jun 26, 2008 02:37:43.7212 UTC
No. Time Source Destination Protocol Info
13 8.204615 128.194.147.44 10.33.90.10 NTP NTP client
Frame 13 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: 
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 128.194.147.44 (128.194.147.44), Dst: 10.33.90.10 
(10.33.90.10)
User Datagram Protocol, Src Port: 56540 (56540), Dst Port: ntp (123)
Network Time Protocol
Flags: 0x23
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .011 = Mode: client (3)
Peer Clock Stratum: unspecified or unavailable (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference Clock ID: NULL
Reference Clock Update Time: NULL
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: Not representable
No. Time Source Destination Protocol Info
14 8.204760 10.33.90.10 128.194.147.44 NTP NTP server
Frame 14 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 128.194.147.44 
(128.194.147.44)
User Datagram Protocol, Src Port: ntp (123), Dst Port: 56540 (56540)
Network Time Protocol
Flags: 0x24
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (2)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 0.000001 sec
Root Delay: 0.0282 sec
Root Dispersion: 0.0188 sec
Reference Clock ID: 68.216.79.113
Reference Clock Update Time: Jun 26, 2008 02:30:50.0576 UTC
Originate Time Stamp: Not representable
Receive Time Stamp: Jun 26, 2008 02:37:48.0167 UTC
Transmit Time Stamp: Jun 26, 2008 02:37:48.0168 UTC
No. Time Source Destination Protocol Info
16 9.304386 128.194.147.44 10.33.90.10 NTP NTP client
Frame 16 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: 
AsustekC_50:98:6b (00:13:d4:50:98:6b)
Internet Protocol, Src: 128.194.147.44 (128.194.147.44), Dst: 10.33.90.10 
(10.33.90.10)
User Datagram Protocol, Src Port: 48143 (48143), Dst Port: ntp (123)
Network Time Protocol
Flags: 0x23
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .011 = Mode: client (3)
Peer Clock Stratum: unspecified or unavailable (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference Clock ID: NULL
Reference Clock Update Time: NULL
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: Jul 6, 2020 19:40:23.2793 UTC
No. Time Source Destination Protocol Info
17 9.304527 10.33.90.10 128.194.147.44 NTP NTP server
Frame 17 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: 
Cisco-Li_bb:95:dc (00:12:17:bb:95:dc)
Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 128.194.147.44 
(128.194.147.44)
User Datagram Protocol, Src Port: ntp (123), Dst Port: 48143 (48143)
Network Time Protocol
Flags: 0x24
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (2)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 0.000001 sec
Root Delay: 0.0282 sec
Root Dispersion: 0.0188 sec
Reference Clock ID: 68.216.79.113
Reference Clock Update Time: Jun 26, 2008 02:30:50.0576 UTC
Originate Time Stamp: Jul 6, 2020 19:40:23.2793 UTC
Receive Time Stamp: Jun 26, 2008 02:37:49.1164 UTC
Transmit Time Stamp: Jun 26, 2008 02:37:49.1164 UTC 





More information about the questions mailing list