[ntp:hackers] Looking over tock.usno.navy.mil monlist

David L. Mills mills at udel.edu
Tue Sep 16 10:33:31 PDT 2003


Rich,

Geeze, I guess tock.usno.navy.mil is indeed the biggest elephant on the
block. It is currently victim of 311 packets/s and entries on the LRU
list last less than two seconds. However, I learned a few things.

First, at any one time there are about two dozen birds pecking at
one-second intervals. Each burst lasts for up to 2000 pecks and then the
bird flies away for at least two seconds. It could be they are pecking
continuously and for some reason a network burp occurs with result a
two-second or more delay. I expect if hou turn on rate limiting the
pecks might subside to peeps.

Second, the vast majority of birds are not using a source port of 123,
which would ordinarily indicate many SNTP clients and only a few NTP
daemons. Per advice, SNTP clients use a version number of one, while NTP
daemons use the current version. If this is the case, the data suggest
either a very high proportion of really old version-1 NTP daemons or a
large proportion of SNTP clients that actually conform to the SNTP spec
requiring both source and destination ports 123. So far I haven't found
instances of the latter, so I conclude there exists a sizeable
penetration of 1988-vintage birds in the NTP coop.

Third, there is a fair number of goofball rejects, like broken formats,
bad authentication(?). You have Autokey turned on, but from what I see
every attempt to authenticate a packet has failed. These might be your
friends. Or your enemies.

Dave



More information about the hackers mailing list