Internal IPs ntp users seen in open network

I use my old android phone as ntp server with 4G mobile data connection. I only have an external up of 121.202.78.90 but no internal ip, however when I track the connection using pcapdroid, internal IPs of 10.247.x.x are seen, given that internal IPs cannot be directly used when communicating on the Internet, the above event seems strange, am I being hacked?

Maybe your mobile carrier has CGNAT.

1 Like

Thanks for telling me. Now through packet capturing I found that IP 115.182.19.54 send me 5-10 request per second which is unusual for NTP clients. It is ddos activity?Or there is some setting error in the NTP client 115.182.19.54?And should I block the host?

!

It’s most likely a broken client that keeps retrying. Blocking it might help or might make it send you more queries.

For the 10.247.0.0/16 IPs, the easiest guess would be that they are “leaked” packets that didn’t get NAT’ed, but @alica’s suggestion of the carrier using that space for Carrier Grade NAT sounds plausible.

Can you ping the IP (test it just after getting a query from the 10.x IP).

i have ping the ip before but get no respose, and then i traceroute,the host still cannot be reached

Thanks for telling me. Now through packet capturing I found that IP 115.182.19.54 send me 5-10 request per second which is unusual for NTP clients. It is ddos activity?Or there is some setting error in the NTP client 115.182.19.54?And should I block the host?

It is not unusual to see even hundreds or thousands of requestes from the same IP address, which is not necessarily a single host.

@wilsoncheung

I see this on a regular basis on my servers (many thousand requests from a single IP address.
It happens e.g. if it´s a provider owned IPv4 address and they do Carrier grade NAT, which means their customers have only IPv6 addresses assigned, and if the customer´s devices do a NTP request, the requests get NATed from IPv6 to the single IPv4 address all at the same time and you see a huge spike in inbound traffic from one single IP address.

I have seen spikes of up to 100k requests / second for about 10 seconds, then it calms down again.

Regarding your profile:

It says “Smartone Mobile Communication’s pool servers” and it has several of University of Wisconsin´s NTP servers in it.

Don´t get me wrong on this but I would like to ask: Do you own/have permission to add their servers to the pool?

1 Like

@ask, this is the same account (https://www.ntppool.org/a/wilsoncheung) as in this post, where they had added Apple and Facebook servers: Company adding servers to the pool that they don't own

1 Like

Sorry for that, I won’t do this again, I just want to contribute to the pool at that time but not intended hacking, but next time I will not do this again

1 Like

I have deleted the Wisconsin servers

1 Like