[Pool] Port 37 UDP

David Lord david at lordynet.org
Sat Jul 3 10:43:11 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2 Jul 2010 at 22:02, Patrick Domack wrote:

> I have no idea why you are explaining to me what the Time service is. 
> I know what it is.
> 
> My question/statement was that I am seeing 10x as many coming from 
> invalid ip's vs valid ip's.

I would have to change my firewall rules to monitor invalid ip 
addresses. My servers are non nat but my routers do nat from 
my lan and whilst tcp is essentially problem free, udp and other
traffic certainly isn't except when traffic levels are low.

Over June I've reponded to 905 port 37 requests from my ntp0
and 165 requests from my ntp1 server. Last check months ago
on the clients indicated they were mostly from same ips.

I've not totalled up port 123 for a while but when I was
counting, the most requests over a short period was about
15000 over 30 minutes from a certain countries telco.


David


> 
> Quoting "Ryan A. Krenzischek" <ryan at bbnx.net>:
> 
> >
> > Patrick,
> >
> > 37/UDP and 37/TCP is the standard time service that traditionally 
> > runs out of inetd or xinetd.  It has a base line of 1 jan 1900 
> > instead of the standard EPOCH which starts 1 Jan 1970.  Information 
> > regarding the standard time service is found here 
> > (http://tools.ietf.org/html/rfc868) and 
> > http://www.nist.gov/physlab/div847/grp40/its.cfm.  Some really old 
> > clients using rdate use this to do a one-type sync for date/time 
> > from another machine.  NIST has phased out all but one server 
> > (time-nw.nist.gov) that will answer on 37/UDP and 37/TCP.  They plan
> >  to discontinue this service in the future.
> >
> > Please note that the standard time service can not be used for NTP
> > sync.
> >
> > Regards,
> >
> > Ryan
> >
> > On Fri, 2 Jul 2010, Patrick Domack wrote:
> >
> >> Date: Fri, 02 Jul 2010 18:49:34 -0400
> >> From: Patrick Domack <patrickdk at patrickdk.com>
> >> To: pool at lists.ntp.org
> >> Subject: [Pool] Port 37 UDP
> >>
> >> I have noticed (as I was changing around dns and ntp on my systems)
> >>  that I get lots of port 37 requests.
> >>
> >> About 8 per second from private ip addresses, and 1 per 10seconds 
> >> from a valid ip
> >>
> >> Someone out here making horribly bad nat routers that only do tcp?
> >>
> >> 18:41:43.021572 IP 10.4.57.240.1026 > 38.117.195.101.37: UDP,
> >> length 0 18:41:43.084644 IP 10.1.58.238.1025 > 38.117.195.101.37:
> >> UDP, length 0 18:41:43.132121 IP 10.3.64.167.1026 >
> >> 38.117.195.101.37: UDP, length 0 18:41:43.309778 IP
> >> 10.3.59.111.1026 > 38.117.195.101.37: UDP, length 0 18:41:43.518093
> >> IP 10.4.56.39.1027 > 38.117.195.101.37: UDP, length 0
> >> 18:41:43.617981 IP 10.18.128.60.4087 > 38.117.195.101.123: NTPv1, 
> >> Client, length 48 18:41:43.750568 IP 10.18.128.99.1442 >
> >> 38.117.195.101.123: NTPv1,  Client, length 48 18:41:43.827442 IP
> >> 10.18.128.115.1571 > 38.117.195.101.123: NTPv1,  Client, length 48
> >> 18:41:43.902925 IP 10.1.19.83.1027 > 38.117.195.101.37: UDP, length
> >> 0
> >
> 
> 
> 
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool

- -- 
David Lord <david at lordynet.org>
<ftp://ftp.lordynet.org/pub/pgpkeys/lg_david.pkr>
<http://www.lordynet.org/pub/pgpkeys/lg_david.pkr>



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4 -- QDPGP 2.65 
Comment: http://community.wow.net/grt/qdpgp.html

iQA/AwUBTC8UQK2RmIodDo7KEQIIKQCfaTv5JghfwO5EkFacDzNW2HVIj5IAnR3z
J5VCs1/FdxGWyZk4i7ZquU3N
=P+2Y
-----END PGP SIGNATURE-----


More information about the pool mailing list