[ntp:hackers] Profiling abusive clients

Danny Mayer mayer at ntp.isc.org
Sat Nov 24 02:37:49 GMT 2007


Dave,

I thought that the NTPv4 draft protocol specification says the KOD
packet does not require a valid NTP timestamp, though looking at the
latest draft I see that it doesn't say that but it should explicitly
state that. In such a case setting the server's timestamp to 0 will
guarantee that the error is noticed if the client ignores the KOD and
accepts the timestamp as valid. We need to get these errant clients
voted off the planet and this is one way to do so.

Also a closer examination of what you are doing will actually cause the
client to gradually edge back from the server's time because once it's
calculated the time delay it will assume that it's off by half the
round-trip delay and subtract the amount from it's clock time. I am
assuming of course that they have set themselves up to send requests to
just the one server. This should of course to the required violence to
the client clock.

Danny

David L. Mills wrote:
> Guys,
> 
> A closer examination of the rackety.udel.edu abusers reveals an 
> interesting profile. Currently, there is one abuser honking continuously 
> at three seconds, another at five seconds and a third at eight seconds. 
> This is the same kind of abuse noted in the PTTI paper about NIST and 
> USNO abuse. However, there are several cases where the perp sends two 
> messages back-to-back at less than one second intervals, but does this 
> only infrequently. The prevalence of these two classes of abusers 
> suggests there are at least two different implemenations that behave in 
> the manner observed.
> 
> The latest code will return KoDs in either of these cases. The 
> interesting thing is that, if the KoDs are simply ignored, the abuser 
> will continue to have success, even if the majority of packets are 
> dropped or result in KoDs. If the client code does not understand and 
> discards the KoDs, the client time will not be adjusted, even if those 
> packets that do get through are believed. The bottom line is that the 
> naive user will probably not even notice the KoDs. Pehaps the KoD design 
> should be more violent and purposely destabilize the client clock.
> 
> Dave


More information about the hackers mailing list