Gary said: >> Somebody on 2600:1700:6731:6c0:f2de:f1ff:fe20:1bbe is sending you >> packets that don't make sense. Same for 68.75.8.147. > Those two hit my hackathon server as well. But the connection is a normal > NTPv4 exchange on UDP.
Depends on what you mean by "normal". How much did you investigate? >From my sample: 6 Apr 07:44:56 ntpd[10742]: JUNK: M3 V4 0/23 1 4ef 48/ 0 0 020 from 68.75.8.147 :36693, lng=80 6 Apr 07:45:47 ntpd[10742]: JUNK: M3 V4 0/23 1 4ef 48/ 0 0 030 from 68.75.8.147 :34025, lng=96 ... The packet lengths are growing in steps of 16 bytes. The 48/ stuff prints out the next 4 bytes in hex. So that would be extension type 0 with lengths of 20 (hex), 30, ... 20 hex is 32 decimal. 32+48 for the basic NTP packet is 80 as reported. So there is a type 0 extension with 32 bytes. Doesn't seem normal to me. I'd bet on probing for a bug. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel