[ntp:questions] symmetric active while configurion uses server mode, RFC compliant or not?
Joe the Shmoe
news at edrusb.is-a-geek.org
Sat May 18 07:14:27 UTC 2013
After having read the RFC 5905 and having partially understood it (much
too technical about time aspects for me), I still cannot figure out
whether the fact I observe are:
- RFC compliant or not
- a configuration error on my side
- a bug in the software I use (ntpd)
- the symptoms of a attack or attempts of attack.
Here is what I observe:
The host has been configured to obtain clock as client from several NTP
parent of stratum 2. It is member of the ntp.pool.org thus provides time
to many hundred clients per hours.
By curiosity I have intercepted the NTP exchanges using wireshark, and
beside the expected NTP client and NTP server exchanges, I see NTP
symmetric active and symmetric passive ones.
Zooming on these I see two types of requests:
- received symmetric active from unconfigured hosts, which get answered
by symmetric passive from my host. Here the point I do not understand is
that the NTP server is configured in a way to "Deny packets that might
mobilize an association unless authenticated." Shouldn't the server
ignore the request rather than answering them by a symmetric passive
- Other symmetric active requests come from the server itself toward one
of the 5 configured hosts. But the server only makes use of "server" in
the configuration (no "peer" statement). This occurs after a first NTP
client request to that configured host which get answered by two NTP
server from the configured host.
Looking at ntpd bug database, I could not find anything that matches
what I observed.
Thanks for any idea,
More information about the questions