Hi, I spotted some odd traffic on two of my NTP servers today. Two other
servers I'm running don't collect the appropriate statistics (so I don't
know), and the three others didn't experience this oddity.
Please have a look at the following graphs:
http://tursas.miuku.net/stats/ntppackets.html
http://tursas.miuku.net/stats/net.html
http://kameli.miuku.net/stats/ntppackets.html
http://kameli.miuku.net/stats/net.html
As for tursas.miuku.net, it apparently sent about 80 times more packets
than it received during the peak. This doesn't make sense, because
normally the received and sent packets are equal. I do some (minimal)
filtering, but that occurs before the packets reach ntpd.
This occurred on my Turkish server, kameli.miuku.net as well, but there
the "base load" was already somewhat higher due to our Turkish friends
at TTNet. One noteworthy thing is that the total amount of outbound
traffic was about 2x on kameli than on tursas during the peak, perhaps
because kameli has two IP addresses in the pool.
Have you noticed this in your statistics? I'm suspecting that I was sent
NTP packets with a spoofed source address and that there's some sort of
a bug in ntpd that allows this sort of an amplification attack against
someone. Unfortunately I wasn't around when this happened, so I don't
what actually happened on the network at that time.
Both of these servers are running CentOS 5.7 with
ntp-4.2.2p1-15.el5.centos.1.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
