"Martin Burnicki" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > I don't know exactly how often or how long this happens. However, please > take into account that clients may send requests at 2 second intervals at > startup, if the iburst keyword has been used. > > Also, there may be several clients behind a NAT router, in which case all > the requests from those clients seem to be coming from a single host with > a > given IP where in fact there are several hosts which are using individual > private IPs behind the router. > > Depending on how many clients are currently up and running behind the > router > you may see a more or less high number of requests which seem to come from > a single host. > > Did you also check the source port number of the request packets? The > numbers should vary if the requests have been sent from several clients > behind a router. They may or may not vary if they come from a single > client. I think the conclusion that there is only one "bad boy" can only > be > made if the source port of the request is the same. > > > Martin > -- > Martin Burnicki > > Meinberg Funkuhren > Bad Pyrmont > Germany
I'll get a bunch of requests with the same port number, then a bunch of packets with a different (the port for the bunch is the same) port. Also, the time data in the request is random and corrupt.. example below. I've contacted the source by email with no response yet. The source - a University - lists on their web page what their own machines should be using for NTP - their own server. No. Time Source Destination Protocol Info 3 3.908464 128.194.147.44 10.33.90.10 NTP NTP client Frame 3 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: AsustekC_50:98:6b (00:13:d4:50:98:6b) Internet Protocol, Src: 128.194.147.44 (128.194.147.44), Dst: 10.33.90.10 (10.33.90.10) User Datagram Protocol, Src Port: 42536 (42536), Dst Port: ntp (123) Network Time Protocol Flags: 0x23 00.. .... = Leap Indicator: no warning (0) ..10 0... = Version number: NTP Version 4 (4) .... .011 = Mode: client (3) Peer Clock Stratum: unspecified or unavailable (0) Peer Polling Interval: invalid (0) Peer Clock Precision: 1.000000 sec Root Delay: 0.0000 sec Root Dispersion: 0.0000 sec Reference Clock ID: NULL Reference Clock Update Time: NULL Originate Time Stamp: NULL Receive Time Stamp: NULL Transmit Time Stamp: Nov 27, 2018 09:08:52.1230 UTC No. Time Source Destination Protocol Info 4 3.908613 10.33.90.10 128.194.147.44 NTP NTP server Frame 4 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc) Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 128.194.147.44 (128.194.147.44) User Datagram Protocol, Src Port: ntp (123), Dst Port: 42536 (42536) Network Time Protocol Flags: 0x24 00.. .... = Leap Indicator: no warning (0) ..10 0... = Version number: NTP Version 4 (4) .... .100 = Mode: server (4) Peer Clock Stratum: secondary reference (2) Peer Polling Interval: invalid (0) Peer Clock Precision: 0.000001 sec Root Delay: 0.0282 sec Root Dispersion: 0.0187 sec Reference Clock ID: 68.216.79.113 Reference Clock Update Time: Jun 26, 2008 02:30:50.0576 UTC Originate Time Stamp: Nov 27, 2018 09:08:52.1230 UTC Receive Time Stamp: Jun 26, 2008 02:37:43.7211 UTC Transmit Time Stamp: Jun 26, 2008 02:37:43.7212 UTC No. Time Source Destination Protocol Info 13 8.204615 128.194.147.44 10.33.90.10 NTP NTP client Frame 13 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: AsustekC_50:98:6b (00:13:d4:50:98:6b) Internet Protocol, Src: 128.194.147.44 (128.194.147.44), Dst: 10.33.90.10 (10.33.90.10) User Datagram Protocol, Src Port: 56540 (56540), Dst Port: ntp (123) Network Time Protocol Flags: 0x23 00.. .... = Leap Indicator: no warning (0) ..10 0... = Version number: NTP Version 4 (4) .... .011 = Mode: client (3) Peer Clock Stratum: unspecified or unavailable (0) Peer Polling Interval: invalid (0) Peer Clock Precision: 1.000000 sec Root Delay: 0.0000 sec Root Dispersion: 0.0000 sec Reference Clock ID: NULL Reference Clock Update Time: NULL Originate Time Stamp: NULL Receive Time Stamp: NULL Transmit Time Stamp: Not representable No. Time Source Destination Protocol Info 14 8.204760 10.33.90.10 128.194.147.44 NTP NTP server Frame 14 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc) Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 128.194.147.44 (128.194.147.44) User Datagram Protocol, Src Port: ntp (123), Dst Port: 56540 (56540) Network Time Protocol Flags: 0x24 00.. .... = Leap Indicator: no warning (0) ..10 0... = Version number: NTP Version 4 (4) .... .100 = Mode: server (4) Peer Clock Stratum: secondary reference (2) Peer Polling Interval: invalid (0) Peer Clock Precision: 0.000001 sec Root Delay: 0.0282 sec Root Dispersion: 0.0188 sec Reference Clock ID: 68.216.79.113 Reference Clock Update Time: Jun 26, 2008 02:30:50.0576 UTC Originate Time Stamp: Not representable Receive Time Stamp: Jun 26, 2008 02:37:48.0167 UTC Transmit Time Stamp: Jun 26, 2008 02:37:48.0168 UTC No. Time Source Destination Protocol Info 16 9.304386 128.194.147.44 10.33.90.10 NTP NTP client Frame 16 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc), Dst: AsustekC_50:98:6b (00:13:d4:50:98:6b) Internet Protocol, Src: 128.194.147.44 (128.194.147.44), Dst: 10.33.90.10 (10.33.90.10) User Datagram Protocol, Src Port: 48143 (48143), Dst Port: ntp (123) Network Time Protocol Flags: 0x23 00.. .... = Leap Indicator: no warning (0) ..10 0... = Version number: NTP Version 4 (4) .... .011 = Mode: client (3) Peer Clock Stratum: unspecified or unavailable (0) Peer Polling Interval: invalid (0) Peer Clock Precision: 1.000000 sec Root Delay: 0.0000 sec Root Dispersion: 0.0000 sec Reference Clock ID: NULL Reference Clock Update Time: NULL Originate Time Stamp: NULL Receive Time Stamp: NULL Transmit Time Stamp: Jul 6, 2020 19:40:23.2793 UTC No. Time Source Destination Protocol Info 17 9.304527 10.33.90.10 128.194.147.44 NTP NTP server Frame 17 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: AsustekC_50:98:6b (00:13:d4:50:98:6b), Dst: Cisco-Li_bb:95:dc (00:12:17:bb:95:dc) Internet Protocol, Src: 10.33.90.10 (10.33.90.10), Dst: 128.194.147.44 (128.194.147.44) User Datagram Protocol, Src Port: ntp (123), Dst Port: 48143 (48143) Network Time Protocol Flags: 0x24 00.. .... = Leap Indicator: no warning (0) ..10 0... = Version number: NTP Version 4 (4) .... .100 = Mode: server (4) Peer Clock Stratum: secondary reference (2) Peer Polling Interval: invalid (0) Peer Clock Precision: 0.000001 sec Root Delay: 0.0282 sec Root Dispersion: 0.0188 sec Reference Clock ID: 68.216.79.113 Reference Clock Update Time: Jun 26, 2008 02:30:50.0576 UTC Originate Time Stamp: Jul 6, 2020 19:40:23.2793 UTC Receive Time Stamp: Jun 26, 2008 02:37:49.1164 UTC Transmit Time Stamp: Jun 26, 2008 02:37:49.1164 UTC _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
