Update:

I could capture some incoming packets from some 49.9.x.x.
They seem to be very random and look like normal ntp requests of 90 bytes.

Since the addresses are assigned to KRNIC, I had the idea that packets from
germany are blocked generally. Can I be wrong?

traceroute example:
# traceroute 49.9.129.101
traceroute to 49.9.129.101 (49.9.129.101), 30 hops max, 60 byte packets
 1  static.97.80.9.5.clients.your-server.de (5.9.80.97)  1.114 ms  1.124 ms
 1.154 ms
 2  hos-tr1-juniper3.rz16.hetzner.de (213.239.230.1)  0.199 ms  0.193 ms
hos-tr4-juniper4.rz16.hetzner.de (213.239.233.97)  0.162 ms
 3  core21.hetzner.de (213.239.245.105)  0.224 ms core22.hetzner.de
(213.239.245.145)  0.386 ms core21.hetzner.de (213.239.245.105)  0.212 ms
 4  core12.hetzner.de (213.239.245.214)  2.901 ms core11.hetzner.de
(213.239.245.221)  2.796 ms core23.hetzner.de (213.239.203.170)  0.318 ms
 5  * * *
[...]


Because Hetzner normally does not tell me, where an abuse message came
from, I first assumed that it came from the owner of the subnet, but since
the timestamps are in CEST and all three of us got them from Hetzner, it
seems to come from Hetzner's own egress monitoring.

___
To the pool admins:
I think it's a good idea to add non-local servers to zones with too few
servers to manage the load, but maybe this shouldn't be done for zones like
cn, kr, eg, etc. where censorship may prevent answers from outside.

___
My answer to Hetzner (if interested):
Hallo,

nach Ihrer erneuten Mitteilung habe ich den ausgehenden Verkehr des
entsprechenden Servers genauer untersucht und festgestellt, dass es sich um
reguläre Antworten auf reguläre Anfragen an den NTP-Server handelt (immer
jeweils 90 Bytes).

Da es sich ausschliesslich um IP-Adressen handelt, die der KRNIC zugewiesen
sind, habe ich die Vermutung, dass einige oder alle Pakete aus Deutschland
und ggf. weiteren Teilen der Welt aufgrund von Zensur geblockt werden.

Der Server ist im NTP pool project gelistet (http://www.pool.ntp.org/) und
möglicherweise der KR-Zone hinzugefügt worden, da diese zu stark
ausgelastet war.

Mit freundlichen Grüßen,

___
Oliver Domke


oliver domke <m...@piflix.de> schrieb am Mo., 17. Okt. 2016 um 17:44 Uhr:

> Ralf Hildebrandt <ralf.hildebra...@charite.de> schrieb am Mo., 17. Okt.
> 2016 um 10:58 Uhr:
>
> > time                protocol src_ip src_port          dest_ip dest_port
> >
> ---------------------------------------------------------------------------
> > Sun Oct 16 23:26:18 2016 UDP 213.239.204.119 123   =>     49.9.253.77
> 48943
> > Sun Oct 16 23:25:07 2016 UDP 213.239.204.119 123   =>    49.9.173.110
> 53789
> > Sun Oct 16 23:26:16 2016 UDP 213.239.204.119 123   =>     49.9.236.63
> 41332
>
>
> Hi,
>
> I got two of these this morning (same dest. net).
> The real problem is, these addresses are not reachable (no route, testet
> on hetzner, telekom, netcologne). That means the request, that causes the
> answers, most likely came from another source.
>
> As it already had stopped, I was not able to log the traffic. Any ideas?
>
> Oliver Domke
>
> Example:
> > ############################################################
> ##############
> > #              Portscan detected from host     5.9.122.148
>  #
>
> > ############################################################
> ##############
> >
> > time                protocol src_ip src_port          dest_ip dest_port
> > ------------------------------------------------------------
> ---------------
> > Mon Oct 17 02:03:19 2016 UDP     5.9.122.148 123   =>    49.9.171.108
> 40742
> > Mon Oct 17 02:04:06 2016 UDP     5.9.122.148 123   =>     49.9.203.32
> 58853
> > Mon Oct 17 02:01:59 2016 UDP     5.9.122.148 123   =>    49.9.158.167
> 58447
> > Mon Oct 17 02:03:21 2016 UDP     5.9.122.148 123   =>    49.9.182.146
> 59820
> > Mon Oct 17 02:02:54 2016 UDP     5.9.122.148 123   =>     49.9.225.69
> 44483
> > Mon Oct 17 02:03:22 2016 UDP     5.9.122.148 123   =>     49.9.191.70
> 53892
>
_______________________________________________
pool mailing list
pool@lists.ntp.org
http://lists.ntp.org/listinfo/pool

Reply via email to