[ntp:security] Possible rogue timer 201.201.97.82

Joseph Parmelee jparmele at wildbear.com
Fri Feb 1 18:41:49 UTC 2013


Good afternoon:

It appears we might have a rogue timer at 201.201.97.82 as indicated by this
run:

bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
1.pool.ntp.org has address 190.106.66.11
1.pool.ntp.org has address 201.201.97.82
1.pool.ntp.org has address 190.106.66.12
1.pool.ntp.org has address 200.59.16.3
  1 Feb 10:36:49 sntp[1569]: Started sntp
  2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
  2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
  2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
  2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs

Note that it claims an accuracy much better than its actual performance.

Also note that this run shows my machine (which is not in the pool) to be
slow by some tens of milliseconds as indicated by the other members.  This
run was taken after my system had been locked onto 201.201.97.82; my pll
freq prior to that had been running a stable 23-25 ppm (depending on cpu
temp mainly) with estimated error below 20 ms.  It then locked onto one of
the other members but the pll freq was only at 9 ppm which indicates it was
considerably slower before, probably negative.  Unfortunately I don't have
the pll freq number while locked to 201.201.97.82.

But this morning I again found my system locked onto 201.201.97.82 and slow
relative to the other members by A WHOPPING 0.451 seconds!!.  At the same
time my pll freq was up to 75 which should have made it fast.

I can only conclude that 201.201.97.82 is periodically going into some kind
of positive feedback oscillation.  My system had been running very stably
for many months until they appeared on the scene.

Please keep these guys out of the pool until they get it together as they
are very disruptive to anyone who tries to use them.

Yours,

Joseph Parmelee
Network Administrator
Wild Bear Systems

PS This machine 201.201.97.82 does not appear in a reverse-dns and it
doesn't respond to pings or traceroutes (the others do).  Lacnic shows the
number registered to ICE Costa Rica, but that really tells as little; so is
my IP (201.191.100.135), and it doesn't show in reverse-dns either.  The
reverse-dns is ICE's responsibility.  I can only affect the forward-dns
(bruno.wildbear.com).




More information about the security mailing list