[ntp:security] Possible rogue timer 126.96.36.199
mayer at ntp.org
Sun Feb 3 03:31:38 UTC 2013
This is not a security issue with NTP. You need to report problems like
this to the pool people, we are not responsible for the pool project.
You should go to the pool web page http://www.pool.ntp.org/ and find out
how to report this.
If you are concerned that your NTP server is locking on to a rogue
server then I suggest you block the address at your firewall and then
your NTP server will not be able to use it as a source of NTP time.
On 2/1/2013 1:41 PM, Joseph Parmelee wrote:
> Good afternoon:
> It appears we might have a rogue timer at 188.8.131.52 as indicated by
> bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
> 1.pool.ntp.org has address 184.108.40.206
> 1.pool.ntp.org has address 220.127.116.11
> 1.pool.ntp.org has address 18.104.22.168
> 1.pool.ntp.org has address 22.214.171.124
> 1 Feb 10:36:49 sntp: Started sntp
> 2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
> 2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
> 2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
> 2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs
> Note that it claims an accuracy much better than its actual performance.
> Also note that this run shows my machine (which is not in the pool) to be
> slow by some tens of milliseconds as indicated by the other members. This
> run was taken after my system had been locked onto 126.96.36.199; my pll
> freq prior to that had been running a stable 23-25 ppm (depending on cpu
> temp mainly) with estimated error below 20 ms. It then locked onto one of
> the other members but the pll freq was only at 9 ppm which indicates it was
> considerably slower before, probably negative. Unfortunately I don't have
> the pll freq number while locked to 188.8.131.52.
> But this morning I again found my system locked onto 184.108.40.206 and slow
> relative to the other members by A WHOPPING 0.451 seconds!!. At the same
> time my pll freq was up to 75 which should have made it fast.
> I can only conclude that 220.127.116.11 is periodically going into some kind
> of positive feedback oscillation. My system had been running very stably
> for many months until they appeared on the scene.
> Please keep these guys out of the pool until they get it together as they
> are very disruptive to anyone who tries to use them.
> Joseph Parmelee
> Network Administrator
> Wild Bear Systems
> PS This machine 18.104.22.168 does not appear in a reverse-dns and it
> doesn't respond to pings or traceroutes (the others do). Lacnic shows the
> number registered to ICE Costa Rica, but that really tells as little; so is
> my IP (22.214.171.124), and it doesn't show in reverse-dns either. The
> reverse-dns is ICE's responsibility. I can only affect the forward-dns
More information about the security