[ntp:hackers] NTP clients using source ports lower than 123

David Malone dwmalone at maths.tcd.ie
Mon Dec 21 09:22:14 UTC 2009


> I assume that you are not filtering any of these out at your firewall?

The machine is substantially unfiltered on port 123. I can't be
completely certain that there is no filtering upstream, as there is
another firewall upstream of us that should let all packets past.
There might be some exceptions on the second firewall - that may
explain the SQL Slammer port having just 1 packet. I can't check
for certain, as I don't have direct admin access to it. If you're
interested, I could follow up and see exactly what the filtering
is.

> I also assume that the last number on the ports is 100,000 and not 10,000?

Yes - gnuplot truncated the PNG.

> I question any NTP packet coming from a low-numbered port.

My gut feeling is that these are machines behind NAT. I know some
of them are in corporate networks, and provide services for substantial
numbers of clients.

I've occasionally thought that either ntp.org or the IETF NTP WG
could produce some guidelines for NTP behind NAT - I see quite a
few connections that seem to have a state timeout of < 1024s, which
means that the port number keeps changing once you hit a large poll
value. This makes multiple users behind a NAT hard to track.  There
are probably other issues too.

	David.


More information about the hackers mailing list