Hi--
On Oct 18, 2012, at 10:05 AM, Kurt Roeckx wrote:
> On Wed, Oct 17, 2012 at 10:49:26AM -0700, Chuck Swiger wrote:
>>
>> Whether a machine has been infected by malware is not related directly to
>> whether it is
>> serving good time. The NTP pool has a scoring mechanism which will remove
>> that IP if
>> it no longer provides good time:
>
> You really don't know if it's serving good time or not. It might
> be serving good time to the monitor system and bad to the rest.
Possible, sure, but that's easily testable:
% ntpq -npcrv 72.8.140.222
remote refid st t when poll reach delay offset jitter
==============================================================================
*64.147.116.229 .ACTS. 1 u 129 1024 377 2.842 -1.542 0.112
+131.107.13.100 .ACTS. 1 u 62 1024 377 27.993 -2.377 0.109
-132.246.11.227 132.246.11.231 2 u 129 1024 177 86.794 -5.875 0.398
+209.87.233.53 209.87.233.52 2 u 120 1024 377 102.221 -1.377 0.406
-128.100.100.128 128.100.200.166 2 u 986 1024 377 64.555 -4.155 0.556
128.100.56.135 130.207.244.240 2 u 637 1024 373 62.913 -98.502 53.782
associd=0 status=06f4 leap_none, sync_ntp, 15 events, freq_mode,
version="ntpd [email protected] Fri Nov 18 13:21:21 UTC 2011 (1)",
processor="x86_64", system="Linux/2.6.18-308.8.2.el5xen", leap=00,
stratum=2, precision=-20, rootdelay=2.842, rootdispersion=18.924,
peer=20662, refid=64.147.116.229,
reftime=d42ab682.d1496c42 Thu, Oct 18 2012 13:10:26.817, poll=10,
clock=d42ab703.a57e0129 Thu, Oct 18 2012 13:12:35.646, state=4,
offset=-1.867, frequency=-0.663, jitter=0.502, noise=1.499,
stability=0.013, tai=0
Please note that ntpd was explicitly designed to mitigate against falsetickers
using a variant of Marzullo's algorithm, so the notion of fooling the NTP pool
scoring mechanism won't accomplish too much even if evildoers try it:
http://en.wikipedia.org/wiki/Marzullo%27s_algorithm
http://en.wikipedia.org/wiki/Intersection_algorithm
In response to some other points being made, I think it would be a good idea to
remove the IP from being part of the pool, but Ask can make that decision if and
as he wants to.
Regards,
--
-Chuck
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
