Harlan Stenn wrote:
And I thought syslog() was pretty good about "Last message repeated N times".
In addition to my last post (which I forgot to sign, sorry), it may be worth recalling that ntp 4.2.0 (and maybe later) had a bug that make it log bogus IP's:
> Sep 3 04:07:36 gida ntpd[4796]: recvfrom(193.190.230.65) fd=9: Connection refused > Sep 3 04:08:40 gida ntpd[4796]: recvfrom(192.168.1.3) fd=9: Connection refused
OK, though they are not the IP's that the packets really came from, they are not really bogus. Apparently it's the IP that a packet was last received from (client or server). The syslog daemon wouldn't be able to compress these two lines. Of course, in between two legitimate queries, the log lines will all have the same IP. So, instead of only two log lines ("connection refused" and "message repeated") the attacker may be able to get a few more, but he would still be wasting most of his bandwidth.
Even so, it does help to make the smoke curtain thicker and it would make the sysadmin scratch his head even more - I know, first hand.
Luc _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
