[ntp:security] Possible rogue timer 126.96.36.199
jparmele at wildbear.com
Sun Feb 3 15:01:41 UTC 2013
On Sat, 2 Feb 2013, Danny Mayer wrote:
> This is not a security issue with NTP. You need to report problems like
> this to the pool people, we are not responsible for the pool project.
> You should go to the pool web page http://www.pool.ntp.org/ and find out
> how to report this.
> If you are concerned that your NTP server is locking on to a rogue
> server then I suggest you block the address at your firewall and then
> your NTP server will not be able to use it as a source of NTP time.
> On 2/1/2013 1:41 PM, Joseph Parmelee wrote:
>> Good afternoon:
>> It appears we might have a rogue timer at 188.8.131.52 as indicated by
>> bruno1:root ~# host 1.pool.ntp.org; sntp 1.pool.ntp.org; date
>> 1.pool.ntp.org has address 184.108.40.206
>> 1.pool.ntp.org has address 220.127.116.11
>> 1.pool.ntp.org has address 18.104.22.168
>> 1.pool.ntp.org has address 22.214.171.124
>> 1 Feb 10:36:49 sntp: Started sntp
>> 2013-02-01 10:36:49.825685 (+0600) +0.071919 +/- 0.055695 secs
>> 2013-02-01 10:36:50.337036 (+0600) +0.310621 +/- 0.038986 secs
>> 2013-02-01 10:36:50.463557 (+0600) +0.064400 +/- 0.048218 secs
>> 2013-02-01 10:36:50.640997 (+0600) +0.08024 +/- 0.030884 secs
>> Note that it claims an accuracy much better than its actual performance.
>> Also note that this run shows my machine (which is not in the pool) to be
>> slow by some tens of milliseconds as indicated by the other members. This
>> run was taken after my system had been locked onto 126.96.36.199; my pll
>> freq prior to that had been running a stable 23-25 ppm (depending on cpu
>> temp mainly) with estimated error below 20 ms. It then locked onto one of
>> the other members but the pll freq was only at 9 ppm which indicates it was
>> considerably slower before, probably negative. Unfortunately I don't have
>> the pll freq number while locked to 188.8.131.52.
>> But this morning I again found my system locked onto 184.108.40.206 and slow
>> relative to the other members by A WHOPPING 0.451 seconds!!. At the same
>> time my pll freq was up to 75 which should have made it fast.
>> I can only conclude that 220.127.116.11 is periodically going into some kind
>> of positive feedback oscillation. My system had been running very stably
>> for many months until they appeared on the scene.
>> Please keep these guys out of the pool until they get it together as they
>> are very disruptive to anyone who tries to use them.
>> Joseph Parmelee
>> Network Administrator
>> Wild Bear Systems
>> PS This machine 18.104.22.168 does not appear in a reverse-dns and it
>> doesn't respond to pings or traceroutes (the others do). Lacnic shows the
>> number registered to ICE Costa Rica, but that really tells as little; so is
>> my IP (22.214.171.124), and it doesn't show in reverse-dns either. The
>> reverse-dns is ICE's responsibility. I can only affect the forward-dns
Thanks for your reply. It has the webpage I need.
More information about the security