There's been a lot of chatter about blacklists, but does anyone know who
our abusive clients are? Let's do some analysis, starting with my top 3
of Sep 12th:
Time Total Num Client Client Delta Rate
Requests Clients IP Requests (sec) (sec)
14:49:18 826 320 213.53.202.242 100 +0.0 1.28
14:50:28 1283 438 70.89.182.69 100 +2.0 2.00
14:50:57 1469 478 204.10.219.254 100 +1.4 2.35
(I've run whois on the IP's and know where to send the abuse mail.)
I captured 1000 NTP packets with tcpdump to analyse at leisure...
The 213.53.202.242 requests arrived from a dozen different (privilleged)
source ports in a repeating cycle; each port fires at 16 second
intervals. A packet dump gives us some more information:
Internet Protocol, Src: 213.53.202.242 (213.53.202.242), Dst:
213.84.14.16 (213.84.14.16)
User Datagram Protocol, Src Port: 270 (270), Dst Port: 123 (123)
Network Time Protocol
Flags: 0x19
00.. .... = Leap Indicator: no warning (0)
..01 1... = Version number: NTP Version 3 (3)
.... .001 = Mode: symmetric active (1)
Peer Clock Stratum: secondary reference (3)
Peer Polling Interval: 4 (16 sec)
Peer Clock Precision: 0.015625 sec
Root Delay: 0.0407 sec
Clock Dispersion: 1.4632 sec
Reference Clock ID: 212.204.235.152
Reference Clock Update Time: Sep 12, 2005 12:16:19.6545 UTC
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: Sep 12, 2005 13:01:23.0336 UTC
There are no replies to these requests. Despite that, the NTP clients on
the other side keep nagging my server every 16 seconds.
At 70.89.182.69 there is a different client, hammering me every 2
seconds from the ntp port. This client gets replies every 2 seconds. A
packet dump for the interested:
Internet Protocol, Src: 70.89.182.69 (70.89.182.69), Dst: 213.84.14.16
(213.84.14.16)
User Datagram Protocol, Src Port: ntp (123), Dst Port: ntp (123)
Network Time Protocol
Flags: 0x23
00.. .... = Leap Indicator: no warning (0)
..10 0... = Version number: NTP Version 4 (4)
.... .011 = Mode: client (3)
Peer Clock Stratum: secondary reference (2)
Peer Polling Interval: 6 (64 sec)
Peer Clock Precision: 0.000001 sec
Root Delay: 0.0887 sec
Clock Dispersion: 0.0638 sec
Reference Clock ID: 192.43.244.18
Reference Clock Update Time: Sep 12, 2005 12:47:13.9147 UTC
Originate Time Stamp: NULL
Receive Time Stamp: NULL
Transmit Time Stamp: Sep 12, 2005 13:01:21.5134 UTC
IP 204.10.219.254 shows a pattern similar to 213.53.202.242, but now
with requests from 7 different ports. The packet dump is so similar that
I omit it here.
So far, I guess that 204.10.219.254 and 213.53.202.242 are Microsoft
shops with some form of connection sharing. We're just enjoying
Microsofts broken implementation of standard Internet protocols. About
70.89.182.69 I'm not sure; could it be the OpenNTP client?
Is there any information I should give to the administrators of above
machines that might help them to fix them more quickly?
I can easily handle the NTP traffic at the moment, but I send out the
occasional (polite) email to an ISP abuse account to educate people
about proper pool use. My vote is against a blacklist.
Greetings,
Peter.
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
