Hi all,
My understanding of kernel timekeeping is next to nothing, but something
very strange happened yesterday that looked like it might be an attack and
I'm wondering if it's happened to anyone else.
The first symptom was that ntpd lost synchronisation. At this point I
didn't know why so I did things at random; consequently I don't know what
state the kernel time variables were in.
One of the things I did was restart ntpd (a few times) and it had no
trouble contacting servers but refused to synchronise. Eventually I figured
out that my computer's clock was running too fast; gaining about 300
milliseconds every minute. If I understand things correctly this is well
in excess of what can be adjusted with ntptime, although I did try.
Eventually I crossed my fingers and rebooted the machine, hoping that
the kernel was just in a strange state that I was too ignorant to find.
This worked.
Now that it was fixed I went over the events and found (on the pool's
monitoring) that my computer started racing ahead at a very specific moment,
and there was something in the logs at that moment:
Oct 23 19:06:01 atlas inetd[163]: accept (for time): Software caused connection
abort
Until this happened I had allowed TCP and UDP connections to inetd's internal
daytime and time services. I didn't think there would be a problem with
this, but I've now blocked it.
Has anyone seen anything like this before? Could it have been an attack?
Thanks and regards,
- Joel
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
