[ntp:security] Possible rogue timer 201.201.97.82

Joseph Parmelee jparmele at wildbear.com
Sun Feb 3 15:01:41 UTC 2013




On Sat, 2 Feb 2013, Danny Mayer wrote:

> Joseph,
>
> This is not a security issue with NTP. You need to report problems like
> this to the pool people, we are not responsible for the pool project.
> You should go to the pool web page http://www.pool.ntp.org/ and find out
> how to report this.
>
> If you are concerned that your NTP server is locking on to a rogue
> server then I suggest you block the address at your firewall and then
> your NTP server will not be able to use it as a source of NTP time.
>
> Danny
>
> On 2/1/2013 1:41 PM, Joseph Parmelee wrote:
>> Good afternoon:
>>
>> It appears we might have a rogue timer at 201.201.97.82 as indicated by
>> this
>> run:
>>
>> bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
>> 1.pool.ntp.org has address 190.106.66.11
>> 1.pool.ntp.org has address 201.201.97.82
>> 1.pool.ntp.org has address 190.106.66.12
>> 1.pool.ntp.org has address 200.59.16.3
>>  1 Feb 10:36:49 sntp[1569]: Started sntp
>>  2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
>>  2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
>>  2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
>>  2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs
>>
>> Note that it claims an accuracy much better than its actual performance.
>>
>> Also note that this run shows my machine (which is not in the pool) to be
>> slow by some tens of milliseconds as indicated by the other members.  This
>> run was taken after my system had been locked onto 201.201.97.82; my pll
>> freq prior to that had been running a stable 23-25 ppm (depending on cpu
>> temp mainly) with estimated error below 20 ms.  It then locked onto one of
>> the other members but the pll freq was only at 9 ppm which indicates it was
>> considerably slower before, probably negative.  Unfortunately I don't have
>> the pll freq number while locked to 201.201.97.82.
>>
>> But this morning I again found my system locked onto 201.201.97.82 and slow
>> relative to the other members by A WHOPPING 0.451 seconds!!.  At the same
>> time my pll freq was up to 75 which should have made it fast.
>>
>> I can only conclude that 201.201.97.82 is periodically going into some kind
>> of positive feedback oscillation.  My system had been running very stably
>> for many months until they appeared on the scene.
>>
>> Please keep these guys out of the pool until they get it together as they
>> are very disruptive to anyone who tries to use them.
>>
>> Yours,
>>
>> Joseph Parmelee
>> Network Administrator
>> Wild Bear Systems
>>
>> PS This machine 201.201.97.82 does not appear in a reverse-dns and it
>> doesn't respond to pings or traceroutes (the others do).  Lacnic shows the
>> number registered to ICE Costa Rica, but that really tells as little; so is
>> my IP (201.191.100.135), and it doesn't show in reverse-dns either.  The
>> reverse-dns is ICE's responsibility.  I can only affect the forward-dns
>> (bruno.wildbear.com).
>>
>
>

Thanks for your reply.  It has the webpage I need.

Best regards,

Joseph



More information about the security mailing list