[ntp:hackers] NTP clients using source ports lower than 123
David Malone
dwmalone at maths.tcd.ie
Sun Dec 20 23:03:05 UTC 2009
On Thu, Dec 17, 2009 at 04:21:34PM +0000, Ronan Flood wrote:
> Is that right? I'm still running 4.2.2 and I see clients in my monlists
> using source ports lower than 123. In fact I had dealings recently with
> a customer on a Windows client whose queries were coming from port 19;
> and they still are. He's behind a firewall which may be doing NAT.
I see lots of ports < 123 too. Here's a log-log histogram of port
number against how many packets we see from that port to out NTP
server over some period of time:
http://www.maths.tcd.ie/~dwmalone/time/porthistogram.png
[That's not to say all of these are good packets, but...] Internestingly,
it looks like the ephemeral port range from 512-1024 is a bit less
popular than the well-known range.
The blip down to one is 1434, which is the SQL Slammer port.
David.
More information about the hackers
mailing list