[ntp:security] Possible rogue timer 22.214.171.124
jparmele at wildbear.com
Fri Feb 1 18:41:49 UTC 2013
It appears we might have a rogue timer at 126.96.36.199 as indicated by this
bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
1.pool.ntp.org has address 188.8.131.52
1.pool.ntp.org has address 184.108.40.206
1.pool.ntp.org has address 220.127.116.11
1.pool.ntp.org has address 18.104.22.168
1 Feb 10:36:49 sntp: Started sntp
2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs
Note that it claims an accuracy much better than its actual performance.
Also note that this run shows my machine (which is not in the pool) to be
slow by some tens of milliseconds as indicated by the other members. This
run was taken after my system had been locked onto 22.214.171.124; my pll
freq prior to that had been running a stable 23-25 ppm (depending on cpu
temp mainly) with estimated error below 20 ms. It then locked onto one of
the other members but the pll freq was only at 9 ppm which indicates it was
considerably slower before, probably negative. Unfortunately I don't have
the pll freq number while locked to 126.96.36.199.
But this morning I again found my system locked onto 188.8.131.52 and slow
relative to the other members by A WHOPPING 0.451 seconds!!. At the same
time my pll freq was up to 75 which should have made it fast.
I can only conclude that 184.108.40.206 is periodically going into some kind
of positive feedback oscillation. My system had been running very stably
for many months until they appeared on the scene.
Please keep these guys out of the pool until they get it together as they
are very disruptive to anyone who tries to use them.
Wild Bear Systems
PS This machine 220.127.116.11 does not appear in a reverse-dns and it
doesn't respond to pings or traceroutes (the others do). Lacnic shows the
number registered to ICE Costa Rica, but that really tells as little; so is
my IP (18.104.22.168), and it doesn't show in reverse-dns either. The
reverse-dns is ICE's responsibility. I can only affect the forward-dns
More information about the security