[ntp:questions] Re: Question on abusive clients.

Michael Deutschmann michael at talamasca.ocis.net
Thu Dec 22 03:25:23 UTC 2005


On Thu, 22 Dec 2005, Karel Sandler wrote:
> My question is, if there is a possibility how to distinguish between a
> misconfigured client or a grup of more or less standard clients behind a
> NAT. Originally, I thought, it would be easy. Ideally, the timestamps of a

Perhaps you could look at the source ports.  I'm not sure, but I think NTPD
not only listens on port 123, it uses that as it's source port.  A
masquerading system will remap the source port to something else, usually
quite high, and definitely outside of Unix's traditional "reserved ports"
range (< 1024).

---- Michael Deutschmannn <michael at talamasca.ocis.net>




More information about the questions mailing list