On Wed, Dec 02, 2015 at 07:44:47PM +0800, ??? Dan Jacobson wrote: > Package: ntp > Version: 1:4.2.8p4+dfsg-3+b1 > > I saw > > 12? 02 19:39:46 jidanni5 ntpd[2246]: Soliciting pool server 61.219.119.38 > 12? 02 19:39:47 jidanni5 ntpd[2246]: Soliciting pool server 61.219.119.41 > 12? 02 19:39:47 jidanni5 ntpd[2246]: Soliciting pool server 117.56.73.145 > 12? 02 19:39:48 jidanni5 ntpd[2246]: Soliciting pool server 123.204.45.116 > 12? 02 19:39:48 jidanni5 ntpd[2246]: Soliciting pool server 123.204.45.116 > 12? 02 19:39:48 jidanni5 systemd[905]: Time has been changed > 12? 02 19:39:48 jidanni5 ntpd[2246]: receive: Unexpected origin timestamp > from 61.219.119.38 > > http://www.cs.bu.edu/~goldbe/NTPattack.html says > > Attack 1 and Attack 2 (Denial of Service). Upgrade to ntpd v4.2.8p4. To > see what ntpd version you are running, log into to your NTP server and > type ntpq and then rv. Also, monitor the system log for error messages > of the form "receive: Unexpected origin timestamp from %s", which could > indicate that you are subject to a priming-the-pump attack.
Those message start to show up with 4.2.8p4. A few people see them. I've already reported this upstream. I wouldn't worry about this if you only see this for 1 peer. Kurt
