[ntp:hackers] NTP clients using source ports lower than 123

David Malone dwmalone at maths.tcd.ie
Sun Dec 20 23:03:05 UTC 2009


On Thu, Dec 17, 2009 at 04:21:34PM +0000, Ronan Flood wrote:
> Is that right?  I'm still running 4.2.2 and I see clients in my monlists
> using source ports lower than 123.  In fact I had dealings recently with
> a customer on a Windows client whose queries were coming from port 19;
> and they still are.  He's behind a firewall which may be doing NAT.

I see lots of ports < 123 too. Here's a log-log histogram of port
number against how many packets we see from that port to out NTP
server over some period of time:

	http://www.maths.tcd.ie/~dwmalone/time/porthistogram.png

[That's not to say all of these are good packets, but...] Internestingly,
it looks like the ephemeral port range from 512-1024 is a bit less
popular than the well-known range.

The blip down to one is 1434, which is the SQL Slammer port.

	David.


More information about the hackers mailing list