Re: [ntp:questions] Legitimate Source Ports for NTP traffic?
Thanks for the link to the paper, very interesting stuff! I've only given it a quick read, when I have more time I'll definitely sit down and study it more in-depth. I noticed the data used was from May-June 2015, has there been any newer sampling done? Or any other location for some statistics like an updated graphs that shows the requests/day, or perhaps IPv6 traffic in these past few years? This paper answered a lot of questions I had. One thing you might want to explore more next time are the 'abusive clients', while their subset of physical IPs is small, calculating out their amount of queries vs the total might raise an eyebrow. Also I've noticed different 'groups' of abusive clients... Some will pound away at very fast rates for a short amount of time (i.e. less than an hour) never to be heard from again, some will do large bursts several times a day, and others query excessively 24/7, even after blocking. I even noticed a few that would INCREASE their request rate after being blocked... *rolleyes* Finally, another interesting observation would be to sample from a few of the NTP Pool servers and see how that traffic varies (if any), since various OSes & embedded products default to different NTP sources. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Legitimate Source Ports for NTP traffic?
I looked at a sample of NTP queries sent to a busy European server. Many queries had precision of -6, few were -7. UDP source ports ranged from 1 to 65535. The most common UDP source ports were 123, 1026, 1027, 1028, 1025. A NIST paper, https://tf.nist.gov/general/pdf/2818.pdf , may be of interest. The UDP source port distribution shown in figure 5a is similar to my observations. On Wed, Nov 28, 2018 at 1:53 AM Miroslav Lichvar wrote: > On Tue, Nov 20, 2018 at 11:19:24AM -0600, Jason Rabel wrote: > > In response to my own question I looked a little deeper into the odd > > traffic using tcpdump. Best I can tell they are indeed properly > > formatted NTP requests, the curious bit is seeing most of these > > requests having a precision of -6 or -7. While I know some older MS OS > > set their internal time update to around that, they also use the > > microsoft time servers by default. > > Precision of -6 seems to be common. It's used by ntpdate for example. > Not sure about -7. > > I suspect the number one reason for getting requests from privileged > ports different than 123 is NAT. If there are two NTP clients behind > NAT using port 123, one of them will have to get a different port. > > -- > Miroslav Lichvar > ___ > questions mailing list > questions@lists.ntp.org > http://lists.ntp.org/listinfo/questions > ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Legitimate Source Ports for NTP traffic?
On Tue, Nov 20, 2018 at 11:19:24AM -0600, Jason Rabel wrote: > In response to my own question I looked a little deeper into the odd > traffic using tcpdump. Best I can tell they are indeed properly > formatted NTP requests, the curious bit is seeing most of these > requests having a precision of -6 or -7. While I know some older MS OS > set their internal time update to around that, they also use the > microsoft time servers by default. Precision of -6 seems to be common. It's used by ntpdate for example. Not sure about -7. I suspect the number one reason for getting requests from privileged ports different than 123 is NAT. If there are two NTP clients behind NAT using port 123, one of them will have to get a different port. -- Miroslav Lichvar ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Legitimate Source Ports for NTP traffic?
In response to my own question I looked a little deeper into the odd traffic using tcpdump. Best I can tell they are indeed properly formatted NTP requests, the curious bit is seeing most of these requests having a precision of -6 or -7. While I know some older MS OS set their internal time update to around that, they also use the microsoft time servers by default. My best guess is that these are modems / routers / other embedded-type equipment syncing their own clock and using a low port number that never gets used as their source port as to not interfere with the traffic they are passing through... ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] Legitimate Source Ports for NTP traffic?
I was making some firewall changes and accidently flip-flopped some settings briefly. While reviewing the firewall logs I noticed that there was some NTP traffic coming from various privileged ports (other than 123)... Literally like ports 1,3,5,6,7, and many others in the double & triple digit range... I always thought that the source should be either 123 for a normal NTP client, or an unprivileged port 1024-65535 Rough estimate probably about 15% of NTP requests from from random privileged ports... That seems rather high to just be random chance. Are people really that bad at coding and following standards, or is this illegitimate traffic and should be blocked? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions