[ntp:security] Possible rogue timer 201.201.97.82

Danny Mayer mayer at ntp.org
Sun Feb 3 03:31:38 UTC 2013


Joseph,

This is not a security issue with NTP. You need to report problems like
this to the pool people, we are not responsible for the pool project.
You should go to the pool web page http://www.pool.ntp.org/ and find out
how to report this.

If you are concerned that your NTP server is locking on to a rogue
server then I suggest you block the address at your firewall and then
your NTP server will not be able to use it as a source of NTP time.

Danny

On 2/1/2013 1:41 PM, Joseph Parmelee wrote:
> Good afternoon:
> 
> It appears we might have a rogue timer at 201.201.97.82 as indicated by
> this
> run:
> 
> bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
> 1.pool.ntp.org has address 190.106.66.11
> 1.pool.ntp.org has address 201.201.97.82
> 1.pool.ntp.org has address 190.106.66.12
> 1.pool.ntp.org has address 200.59.16.3
>  1 Feb 10:36:49 sntp[1569]: Started sntp
>  2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
>  2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
>  2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
>  2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs
> 
> Note that it claims an accuracy much better than its actual performance.
> 
> Also note that this run shows my machine (which is not in the pool) to be
> slow by some tens of milliseconds as indicated by the other members.  This
> run was taken after my system had been locked onto 201.201.97.82; my pll
> freq prior to that had been running a stable 23-25 ppm (depending on cpu
> temp mainly) with estimated error below 20 ms.  It then locked onto one of
> the other members but the pll freq was only at 9 ppm which indicates it was
> considerably slower before, probably negative.  Unfortunately I don't have
> the pll freq number while locked to 201.201.97.82.
> 
> But this morning I again found my system locked onto 201.201.97.82 and slow
> relative to the other members by A WHOPPING 0.451 seconds!!.  At the same
> time my pll freq was up to 75 which should have made it fast.
> 
> I can only conclude that 201.201.97.82 is periodically going into some kind
> of positive feedback oscillation.  My system had been running very stably
> for many months until they appeared on the scene.
> 
> Please keep these guys out of the pool until they get it together as they
> are very disruptive to anyone who tries to use them.
> 
> Yours,
> 
> Joseph Parmelee
> Network Administrator
> Wild Bear Systems
> 
> PS This machine 201.201.97.82 does not appear in a reverse-dns and it
> doesn't respond to pings or traceroutes (the others do).  Lacnic shows the
> number registered to ICE Costa Rica, but that really tells as little; so is
> my IP (201.191.100.135), and it doesn't show in reverse-dns either.  The
> reverse-dns is ICE's responsibility.  I can only affect the forward-dns
> (bruno.wildbear.com).
> 



More information about the security mailing list