Re: [Ntp] NTP version 1 requests
Paul Gear <ntp@libertysys.com.au> Tue, 23 June 2020 09:14 UTC
Return-Path: <ntp@libertysys.com.au>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9EB3A1809 for <ntp@ietfa.amsl.com>; Tue, 23 Jun 2020 02:14:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=libertysys.com.au
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWTHdoFvTq_g for <ntp@ietfa.amsl.com>; Tue, 23 Jun 2020 02:14:32 -0700 (PDT)
Received: from mail.libertysys.com.au (2001-44b8-2100-3f00-0000-0000-0000-0019.static.ipv6.internode.on.net [IPv6:2001:44b8:2100:3f00::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5C893A0BA7 for <ntp@ietf.org>; Tue, 23 Jun 2020 02:14:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.libertysys.com.au (Postfix) with ESMTP id 9F1CD1805DA for <ntp@ietf.org>; Tue, 23 Jun 2020 19:14:29 +1000 (AEST)
X-Virus-Scanned: Debian amavisd-new at mail2.gear.dyndns.org
Received: from mail.libertysys.com.au ([127.0.0.1]) by localhost (mail.gear.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVMj5ExkIlGQ for <ntp@ietf.org>; Tue, 23 Jun 2020 19:14:24 +1000 (AEST)
Received: from [IPv6:2001:44b8:2100:3f40:98a3:b4a2:f254:6dd7] (unknown [IPv6:2001:44b8:2100:3f40:98a3:b4a2:f254:6dd7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by mail.libertysys.com.au (Postfix) with ESMTPSA id 4CB0D18049F for <ntp@ietf.org>; Tue, 23 Jun 2020 19:14:23 +1000 (AEST)
Authentication-Results: mail.libertysys.com.au; dmarc=fail (p=quarantine dis=none) header.from=libertysys.com.au
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=libertysys.com.au; s=2016; t=1592903664; bh=zNkmGbsZMnPn3vw4PulfLd6EzBM2pGsLdqEwMXlA8Ww=; h=Subject:To:References:From:Date:In-Reply-To:From; b=SeWi+4iXpu7RX28r//Hu0nepEO61UL0rFVKUHSGFsC1JI/mVq/FqtF9B17qnyquCW lXchL0jSOvQe6csjhUZFmLdbeKr4sC9RWAiHS0nTui6nIbl3afkQcn0vL5odIWGCeV qngzIzaeifHah6srCiC/4V3/BAk/ecjTn8dO9gdY=
To: ntp@ietf.org
References: <20200622180317.E6E6240605C@ip-64-139-1-69.sjc.megapath.net>
From: Paul Gear <ntp@libertysys.com.au>
Message-ID: <9bbd4b50-40f2-efa0-7313-74a5832920cc@libertysys.com.au>
Date: Tue, 23 Jun 2020 19:14:23 +1000
MIME-Version: 1.0
In-Reply-To: <20200622180317.E6E6240605C@ip-64-139-1-69.sjc.megapath.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-AU
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/A9voXF6pMqzQt-D2zcmwgMxVXS8>
Subject: Re: [Ntp] NTP version 1 requests
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 09:14:34 -0000
I took a sample of traffic coming into my pool servers over a 2-hour period. I've only done some very basic analysis, but I see between about 0.6% and 2.1% of NTP traffic is v1. I looked at some of the differences between received packets (mode & root dispersion are the most obvious), and looked up a few IPs in Shodan, and I'd say there are at least 2 or 3 different implementations involved. One looks to be a particular Cisco model often used for IPsec VPNs, probably supplied by TPG Internet (or one of the companies it bought out) here in Australia, and another appears to be an embedded platform used by an ISP in the Philippines. (The population is probably skewed, since my servers are in the AU & Oceania pools.) I don't have a paid Shodan account, so I can't do a full analysis, but I'm happy to share the packet captures if someone else has better tools for reconnaissance on the IPs. Regards, Paul On 23/6/20 4:03 am, Hal Murray wrote: > I have a couple of servers in the pool. They get version 1 requests. > > Does anybody know what software package and/or OS/distro they are coming from? > > 0.25% in San Francisco > 0.025% in London > >
- [Ntp] NTP version 1 requests Hal Murray
- Re: [Ntp] NTP version 1 requests Paul Gear