Somewhat related to this perhaps, I've been seeing quite some "port 37"-traffic. TCP port 37 is used by the (outdated) time-protocol, wich NIST for instance still supports on all but their primary server<http://tf.nist.gov/service/its.htm>. My server doesn't support it either, so is dropped by the firewall.
Below's a small snippet of some of the dropped traffic, and though it's not a whole lot, the fact that single IP's keep trying at intervals when there's no answer, seems to suggest that it's perhaps some legitimate service behind the request in stead of random scripts sniffing my server. And if that's true, a relation to being a public NTP (and in the pool seems obvious). Any of you guys see the same? Regards, Roelant. PS: FYI, 87.233.14.148 = ntp.roelant.net in the pool<http://www.pool.ntp.org/scores/87.233.14.148> . Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2009-12-05 12:39:14 DROP TCP 62.251.86.35 87.233.14.148 54213 37 60 S 3547221158 0 5840 - - - RECEIVE 2009-12-05 12:39:20 DROP TCP 62.251.86.35 87.233.14.148 54213 37 60 S 3547221158 0 5840 - - - RECEIVE 2009-12-05 12:39:32 DROP TCP 62.251.86.35 87.233.14.148 54213 37 60 S 3547221158 0 5840 - - - RECEIVE 2009-12-05 12:39:56 DROP TCP 62.251.86.35 87.233.14.148 54213 37 60 S 3547221158 0 5840 - - - RECEIVE 2009-12-05 12:40:44 DROP TCP 62.251.86.35 87.233.14.148 54213 37 60 S 3547221158 0 5840 - - - RECEIVE 2009-12-05 13:15:56 DROP TCP 81.143.3.102 87.233.14.148 42780 37 48 S 3953727619 0 65535 - - - RECEIVE 2009-12-05 13:15:59 DROP TCP 81.143.3.102 87.233.14.148 42780 37 48 S 3953727619 0 65535 - - - RECEIVE 2009-12-05 13:17:11 DROP TCP 82.169.50.239 87.233.14.148 19936 37 64 S 3636546549 0 65535 - - - RECEIVE 2009-12-05 13:21:39 DROP TCP 80.39.70.156 87.233.14.148 1612 37 48 S 370736804 0 65535 - - - RECEIVE 2009-12-05 13:21:40 DROP TCP 82.169.50.239 87.233.14.148 19936 37 40 R 3636546550 0 65535 - - - RECEIVE 2009-12-05 13:21:42 DROP TCP 80.39.70.156 87.233.14.148 1612 37 48 S 370736804 0 65535 - - - RECEIVE 2009-12-05 13:25:00 DROP TCP 213.132.228.118 87.233.14.148 3953 37 60 S 2248197016 0 5840 - - - RECEIVE 2009-12-05 13:25:03 DROP TCP 213.132.228.118 87.233.14.148 3953 37 60 S 2248197016 0 5840 - - - RECEIVE 2009-12-05 13:25:09 DROP TCP 213.132.228.118 87.233.14.148 3953 37 60 S 2248197016 0 5840 - - - RECEIVE 2009-12-05 13:25:21 DROP TCP 213.132.228.118 87.233.14.148 3953 37 60 S 2248197016 0 5840 - - - RECEIVE 2009-12-05 13:25:45 DROP TCP 213.132.228.118 87.233.14.148 3953 37 60 S 2248197016 0 5840 - - - RECEIVE On Fri, Dec 4, 2009 at 1:22 PM, der Mouse <[email protected]> wrote: >> I noticed to my ntp server in the pool, craploads of icmp requests >> per second (about 1/50th the amount of ntp requests). > >> Most of these send several icmp requests every so often, then an ntp >> request. > > I just checked mine. > > I took a 1000-packet snapshot (turned out to be about 42 seconds). 8 > ICMP packets (half ECHO_REQUEST to me, half ECHO_RESPONSE from me); 659 > port-123 packets, presumably all NTP (358 to me, 301 from me - some of > the hosts I block for abusive levels of traffic keep hammering on the > block). > > The four pings were sent by four different hosts, none of which > appeared elsewhere in the capture at all. > > I then took a 10000-packet snapshot. 6066 port-123 packets and no ICMP > at all. (The other 3934 packets are unrelated traffic; my pool host is > also my house router, and as such sees tunnel traffic to/from external > parts of my house network. My capture excluded forwarded traffic, but > the tunnels' outer traffic still showed up.) > > So, I guess I'm not seeing what you are. :) > > /~\ The ASCII Mouse > \ / Ribbon Campaign > X Against HTML [email protected] > / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B > _______________________________________________ > timekeepers mailing list > [email protected] > https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers > >
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
