Re: [Ntp] Garbage NTP request packets
Watson Ladd <watsonbladd@gmail.com> Thu, 24 September 2020 02:17 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79D5B3A1715 for <ntp@ietfa.amsl.com>; Wed, 23 Sep 2020 19:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nS8C4mJtRZu7 for <ntp@ietfa.amsl.com>; Wed, 23 Sep 2020 19:17:54 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BD13A1714 for <ntp@ietf.org>; Wed, 23 Sep 2020 19:17:54 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id b22so2039736lfs.13 for <ntp@ietf.org>; Wed, 23 Sep 2020 19:17:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GTWlvFL6BnCYCO3C2622ihBJ2wwE8n9hgxSzzTkAxks=; b=VORLFh+jV9BF6erlF2sYIcjdq+nt3dQBt6MPsHaX+4lcKF2szmEX4VdQnSiQgrXZjL Rzaoya34yaWZHlNMbl920pE8rL2tCBiEnOQ8bGxHqQQaa6ubR4Shy+3VUWmcMuugDm85 RzuKsFzZxkHBIBsQRas93Ey8ti2jyWpNpK7mBKvFXBbla2UVM4JirG4NhR3LKGt6ceOf nMr6cXCmAH+WqVtRuvfQjWYiV6D+g1rH0/CEIn70SnRcfpkDkC1BBkDZtsJX/UR+QwB9 w8/SD84XCw7/duQS8grxUm1CbWDgU9d2qO8KBqczQos3dwBjDu/0DXOn0ScGW3IgGtP0 lD2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GTWlvFL6BnCYCO3C2622ihBJ2wwE8n9hgxSzzTkAxks=; b=f/o3AHPjijn6ceK6fhJ2DAj9iptvEqz3Sif0iegYWQaj8Pp9i5UOfF+Bkxr7R/DUDv Hy5v1GK6NlRYASOfInRsjkhLw8adm/hYxZMBrvePrzD1kcL0L79g+9d7d7O2ce8hl8yo k7TmBRCvQhtAiXEPbBhPIeyEFcyqV3iDV5RHhqD48qr53fEXb6ZwDguV10ZY+WQKiazb ddXXcRKeN4OfCcTltX4R6HZzrXBOBKf6rDEGXTgd2Z6VKdwFAw79Vh12XKiTdSY18uDx T9yDZ0dZCex1HeYjlmSTPgqLthh7sf1lGOq7e7tUH3jE7UwkB0+zewSluQ2oH9dyQce9 MukA==
X-Gm-Message-State: AOAM533DIgO2yvcZw3d6T6Aj3llrheFOeYZUZfVW9dBZv+h/m+BA+gDc Kn4knkncCjXyTfm5ShJAdhM8yrAFZfoTKih7YbM=
X-Google-Smtp-Source: ABdhPJyLqvUI/uOjn35Xaa2jP+BCqATHpw6FNKhDX4wrnvt2tI7dr3OiBIA8Wh0asn0HkuFTsas600IXuk9fJnZNXxI=
X-Received: by 2002:a19:4045:: with SMTP id n66mr730804lfa.232.1600913872499; Wed, 23 Sep 2020 19:17:52 -0700 (PDT)
MIME-Version: 1.0
References: <20200923053414.07A4940605C@ip-64-139-1-69.sjc.megapath.net> <20200923084423.GA1398053@localhost> <9340fee2-dfbd-4a40-e9a9-cedc8e6222f2@ntp.org> <CAJm83bAeXOsKuO173Dw8YYGiUc3Qy6_xko6vPosYCOSHddDWBQ@mail.gmail.com>
In-Reply-To: <CAJm83bAeXOsKuO173Dw8YYGiUc3Qy6_xko6vPosYCOSHddDWBQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 23 Sep 2020 22:17:41 -0400
Message-ID: <CACsn0c=O-wH_xLd2-VG4t8yH61ADvv2eHOZCY4RaE2eMUSVUXw@mail.gmail.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: Danny Mayer <mayer@ntp.org>, Miroslav Lichvar <mlichvar@redhat.com>, Hal Murray <hmurray@megapathdsl.net>, NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/CKyVlxPd0_nTNMe-KU1Sk1z6DXw>
Subject: Re: [Ntp] Garbage NTP request packets
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 02:17:56 -0000
Isn't there a rechartering where we get to define the scope due? I may have promised to write a draft charter, but know nothing about such matters: will ask around at work. Such a charter could, AFAIK, include operational issues: I know there is a dnsops WG. Whether or not that's desirable or effective is another question, and I'm not aware of other fora for NTP operational questions to be discussed. It's certainly something that has to be considered in future standardization. On Wed, Sep 23, 2020 at 3:49 PM Daniel Franke <dfoxfranke@gmail.com> wrote: > > Danny, I agree that Hal's question is slightly off-topic for this list > but I can't think of any better forum for it. The people who should > see it are all here; I don't they're all anywhere else. Is it worth > spinning up a new list for this sort of thing? Something like an > implementation-neutral forum for NTP developers and public server > operators? > > On Wed, Sep 23, 2020 at 3:35 PM Danny Mayer <mayer@ntp.org> wrote: > > > > Was there a working group question in here? > > > > On 9/23/20 4:44 AM, Miroslav Lichvar wrote: > > > On Tue, Sep 22, 2020 at 10:34:13PM -0700, Hal Murray wrote: > > >> I noticed that an error counter that was going off more than I expected, so I > > >> hacked a server to print out a few garbage requests. > > > I think that's normal. On my public servers I see all kinds of weird > > > requests. > > > > > >> Ones like this happen often enough to attract my attention. > > >> e3000000 00000000 00000000 00000000 > > >> 00000000 00000000 00000000 00000000 > > >> 00000000 00000000 00000000 00000000 > > >> 00000020 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff > > >> > > >> The first 3 lines look like a version 4 request. The last line starts to look > > >> like a MAC using key 20 (hex) but the HMAC/CMAC part is 28 bytes. I haven't > > >> setup key 20 and our code doesn't support bare MACs with a total length of 32 > > >> bytes. > > > This example looks like a valid NTPv4 request to me. It's not a MAC, > > > but an extension field (type 0, length 32 octets). > > > > > > I have a script for monitoring pool.ntp.org servers that sends > > > requests like that (and others) to check various features of the > > > server like whether it can respond to an unknown extension field, what > > > implementation it is running, etc. FWIW, a server that doesn't respond > > > to a request that has an unknown extension field makes it more > > > difficult for clients to detect whether the extension field is > > > supported. > > > > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp -- Astra mortemque praestare gradatim
- [Ntp] Garbage NTP request packets Hal Murray
- Re: [Ntp] Garbage NTP request packets Paul Gear
- Re: [Ntp] Garbage NTP request packets Miroslav Lichvar
- Re: [Ntp] Garbage NTP request packets Danny Mayer
- Re: [Ntp] Garbage NTP request packets Daniel Franke
- Re: [Ntp] Garbage NTP request packets Hal Murray
- Re: [Ntp] Garbage NTP request packets Watson Ladd
- Re: [Ntp] Garbage NTP request packets Erik Kline
- Re: [Ntp] Garbage NTP request packets Danny Mayer