Wow, that's quite some sleuthing! Sorry for causing the confusion. I'm not asking you for the time, I'm running regular ntpdc sysinfo requests to all servers in the NTP pool. About one request per hour from my own NTP server host at 72.36.170.170. I've never looked at a sysinfo request packet, but presumably it's longer than the usual NTP request / response packets. I imagine snort is remembering an old security breach that was found in ntpd a few years ago.
Why am I doing all these sysinfos? Getting a few weeks data to see if there's anything interesting to learn from monitoring pool servers' dispersion, distance to root, etc. So far the data seems pretty random, but I haven't done much analysis yet. About half the hosts I'm making requests to answer them. Again, my apologies for the confusion. There is a whois record for my IP but I'm glad you didn't find it, because it would have pointed you to the abuse address for my hosting services provider :-) This all reminds me of the alarm bells I set off in my 1999 survey. I'm not following my own advice about creating PTR records partly because this was a quick hack and partly because I don't have any control over them anyway. J.A.C.M. (Jos) van de Ven wrote: > Hi, > > I have Snort running on my firewall and there is 1 IP address triggering a > NTPDX overflow attempt. > When I took a closer look at this rule I saw that these packets are > 128 > size. > I tried to do a whois on this IP with no result. Then a traceroute brought > me to lt.nelson.monkey.org. > A visited the homepage at www.monkey.org and on the members list I saw a > "Nelson". A click on that name brought me to a weblog and guess what? I knew > this guy. He posted a message on this list a few minutes ago, what a > coincidence! > > So please Nelson, can you explain to me why your packets don't have a > standard size for ntp, or am I wrong or Snort? And why are you polling me in > the Netherlands from overseas? I could not query your server and you > appeared in my logs from October 3d till 9th, BTW. > > Thanks, > Jos van de Ven > _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
