> I think the solution is to send back the wrong date to the abusive user, > this is the only thing a person who has installed a bid client and not > looked at it otherwise is likely to notice.
This seems like the right thing. If they ignore KoD, then just lie to them. The one thing is, it's best if all the NTP servers agree on the lie so they can convince the abusive client to actually use the wrong time and thus hopefully get noticed by the owner of the misbehaving equipment. I'd suggest an error of 1e8 seconds. I'm not sure about the sign yet; I suspect that + would be more obviously impossible. 3 years, 62 days, 9 hours, 46 minutes and 40 seconds is sufficiently wrong to be useless to anybody, but also sufficently non-random to make people suspicious about the cause. A DNS-based blacklist is probably unnecessary, since individual servers can detect abusive clients fairly easily. (It's not the first 60 pings at 1s intervals that hurt, it's the other 86340 per day.) But a central list *would* be helpful in educating people, contacting ISPs, and helping ISPs police their own customers. Of course, this still doesn't solve the SonicWALL problem of a firewall that lets the query out and is too stupid to let the response back in. Combined with a Netgear NTP client that doesn't back off on persistent failure, it doesn't matter *what* kind of reply you send, and not sending anything is the option that's least wasteful of network resources. Distinguishing the two cases is interesting. One simple solution might be to look at the originate timestamp. If it's close to correct, they're apparently getting time from somewhere, so a response might be useful. If it's more than a few seconds off, they probably don't have sync and aren't getting it from us. Anyway, just some ideas... _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
