Update: I could capture some incoming packets from some 49.9.x.x. They seem to be very random and look like normal ntp requests of 90 bytes.
Since the addresses are assigned to KRNIC, I had the idea that packets from germany are blocked generally. Can I be wrong? traceroute example: # traceroute 49.9.129.101 traceroute to 49.9.129.101 (49.9.129.101), 30 hops max, 60 byte packets 1 static.97.80.9.5.clients.your-server.de (5.9.80.97) 1.114 ms 1.124 ms 1.154 ms 2 hos-tr1-juniper3.rz16.hetzner.de (213.239.230.1) 0.199 ms 0.193 ms hos-tr4-juniper4.rz16.hetzner.de (213.239.233.97) 0.162 ms 3 core21.hetzner.de (213.239.245.105) 0.224 ms core22.hetzner.de (213.239.245.145) 0.386 ms core21.hetzner.de (213.239.245.105) 0.212 ms 4 core12.hetzner.de (213.239.245.214) 2.901 ms core11.hetzner.de (213.239.245.221) 2.796 ms core23.hetzner.de (213.239.203.170) 0.318 ms 5 * * * [...] Because Hetzner normally does not tell me, where an abuse message came from, I first assumed that it came from the owner of the subnet, but since the timestamps are in CEST and all three of us got them from Hetzner, it seems to come from Hetzner's own egress monitoring. ___ To the pool admins: I think it's a good idea to add non-local servers to zones with too few servers to manage the load, but maybe this shouldn't be done for zones like cn, kr, eg, etc. where censorship may prevent answers from outside. ___ My answer to Hetzner (if interested): Hallo, nach Ihrer erneuten Mitteilung habe ich den ausgehenden Verkehr des entsprechenden Servers genauer untersucht und festgestellt, dass es sich um reguläre Antworten auf reguläre Anfragen an den NTP-Server handelt (immer jeweils 90 Bytes). Da es sich ausschliesslich um IP-Adressen handelt, die der KRNIC zugewiesen sind, habe ich die Vermutung, dass einige oder alle Pakete aus Deutschland und ggf. weiteren Teilen der Welt aufgrund von Zensur geblockt werden. Der Server ist im NTP pool project gelistet (http://www.pool.ntp.org/) und möglicherweise der KR-Zone hinzugefügt worden, da diese zu stark ausgelastet war. Mit freundlichen Grüßen, ___ Oliver Domke oliver domke <[email protected]> schrieb am Mo., 17. Okt. 2016 um 17:44 Uhr: > Ralf Hildebrandt <[email protected]> schrieb am Mo., 17. Okt. > 2016 um 10:58 Uhr: > > > time protocol src_ip src_port dest_ip dest_port > > > --------------------------------------------------------------------------- > > Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123 => 49.9.253.77 > 48943 > > Sun Oct 16 23:25:07 2016 UDP 213.239.204.119 123 => 49.9.173.110 > 53789 > > Sun Oct 16 23:26:16 2016 UDP 213.239.204.119 123 => 49.9.236.63 > 41332 > > > Hi, > > I got two of these this morning (same dest. net). > The real problem is, these addresses are not reachable (no route, testet > on hetzner, telekom, netcologne). That means the request, that causes the > answers, most likely came from another source. > > As it already had stopped, I was not able to log the traffic. Any ideas? > > Oliver Domke > > Example: > > ############################################################ > ############## > > # Portscan detected from host 5.9.122.148 > # > > > ############################################################ > ############## > > > > time protocol src_ip src_port dest_ip dest_port > > ------------------------------------------------------------ > --------------- > > Mon Oct 17 02:03:19 2016 UDP 5.9.122.148 123 => 49.9.171.108 > 40742 > > Mon Oct 17 02:04:06 2016 UDP 5.9.122.148 123 => 49.9.203.32 > 58853 > > Mon Oct 17 02:01:59 2016 UDP 5.9.122.148 123 => 49.9.158.167 > 58447 > > Mon Oct 17 02:03:21 2016 UDP 5.9.122.148 123 => 49.9.182.146 > 59820 > > Mon Oct 17 02:02:54 2016 UDP 5.9.122.148 123 => 49.9.225.69 > 44483 > > Mon Oct 17 02:03:22 2016 UDP 5.9.122.148 123 => 49.9.191.70 > 53892 > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
