logging

[Hal Murray]

Gary said:
>> Somebody on 2600:1700:6731:6c0:f2de:f1ff:fe20:1bbe is sending you
>> packets that don't make sense.  Same for 68.75.8.147.
> Those two hit my hackathon server as well.  But the connection is a normal
> NTPv4 exchange on UDP. 

Depends on what you mean by "normal".  How much did you investigate?

>From my sample:
 6 Apr 07:44:56 ntpd[10742]: JUNK: M3 V4 0/23 1 4ef 48/ 0 0 020 from 
68.75.8.147
:36693, lng=80
 6 Apr 07:45:47 ntpd[10742]: JUNK: M3 V4 0/23 1 4ef 48/ 0 0 030 from 
68.75.8.147
:34025, lng=96
...
The packet lengths are growing in steps of 16 bytes.  The 48/ stuff prints out 
the next 4 bytes in hex.  So that would be extension type 0 with lengths of 20 
(hex), 30, ...  20 hex is 32 decimal.  32+48 for the basic NTP packet is 80 as 
reported.  So there is a type 0 extension with 32 bytes.  Doesn't seem normal 
to me.  I'd bet on probing for a bug.


-- 
These are my opinions.  I hate spam.