Hello, After having read the RFC 5905 and having partially understood it (much too technical about time aspects for me), I still cannot figure out whether the fact I observe are: - RFC compliant or not - a configuration error on my side - a bug in the software I use (ntpd) - the symptoms of a attack or attempts of attack.
Here is what I observe: The host has been configured to obtain clock as client from several NTP parent of stratum 2. It is member of the ntp.pool.org thus provides time to many hundred clients per hours. By curiosity I have intercepted the NTP exchanges using wireshark, and beside the expected NTP client and NTP server exchanges, I see NTP symmetric active and symmetric passive ones. Zooming on these I see two types of requests: - received symmetric active from unconfigured hosts, which get answered by symmetric passive from my host. Here the point I do not understand is that the NTP server is configured in a way to "Deny packets that might mobilize an association unless authenticated." Shouldn't the server ignore the request rather than answering them by a symmetric passive message? - Other symmetric active requests come from the server itself toward one of the 5 configured hosts. But the server only makes use of "server" in the configuration (no "peer" statement). This occurs after a first NTP client request to that configured host which get answered by two NTP server from the configured host. Looking at ntpd bug database, I could not find anything that matches what I observed. Thanks for any idea, Joe. _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
