Scoring offenders by country (a bit of fun)

Server operators
1

Found some strange messages in NTPSec’s logs, starting with “EX-REQ:”, and as far I as I’ve gathered, it means the server refused a request? So I decided to have a bit of fun, extracting and grouping the IP addresses by GeoIP and scoring each country based on number of offenders, like so:

for ip in $(journalctl -u ntpsec -e | grep "EX-REQ: Count" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u); do geoiplookup "$ip"; done | sort | uniq -c | sort -nr

I decided to exclude IPv6 since there’s only one offender there in my case and I don’t think I’d be able to make a one-liner of a command to deal with both IPv4 and IPv6.

My result:

      9 GeoIP Country Edition: DE, Germany
      7 GeoIP Country Edition: NO, Norway
      2 GeoIP Country Edition: RS, Serbia
      2 GeoIP Country Edition: KR, Korea, Republic of
      1 GeoIP Country Edition: UA, Ukraine
      1 GeoIP Country Edition: NL, Netherlands
      1 GeoIP Country Edition: CZ, Czech Republic
      1 GeoIP Country Edition: CN, China
      1 GeoIP Country Edition: CA, Canada

And total offenses per country:

for ip in $(journalctl -u ntpsec -e | grep "EX-REQ: Count" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | so rt -V); do geoiplookup "$ip"; done | sort | uniq -c | sort -nr

My result:

    206 GeoIP Country Edition: NO, Norway
     35 GeoIP Country Edition: RS, Serbia
     12 GeoIP Country Edition: DE, Germany
      4 GeoIP Country Edition: CA, Canada
      3 GeoIP Country Edition: KR, Korea, Republic of
      3 GeoIP Country Edition: CZ, Czech Republic
      1 GeoIP Country Edition: UA, Ukraine
      1 GeoIP Country Edition: NL, Netherlands
      1 GeoIP Country Edition: CN, China

My server: 185.175.56.208

Anyone else want a go? :smiley:

1 Like
2

Interesting. I have been logging NTP packets though my router that come from bad reputation addresses and came up with this dashboard. I have turned on rules in the router to block these requests since too many of them were probes with malformed payloads. I am using the router logging sent to a greylog log server to produce the dashboard.

image
image1842×766 101 KB

2 Likes
3

A very specific type of refusal, there are many more that will not log this, or that will potentially log something else.

ntpsec’s ntpd/ntp_proto.c has a function maybe_log_junk() which rate-limits these as well as “EX-REP” and “DDoS” messages. All three types and all clients combined appear to be rate-limited to once per two hours overall.

The EX-REQ log entries happen when a client is trying to use authentication (symmetric, autokey, or NTS) and the server doesn’t support it for that client. I wouldn’t consider these clients to be abusive based solely on seeing those log entries. Even if you disagree, the rate-limiting makes your counts relatively garbage-in, garbage-out.

Cheers,
Dave Hart

1 Like
4

I see, that’s informative, thanks!

I was trying to figure out what exactly these messages mean and couldn’t find any good explanations anywhere.
Also, one single IP address was behind the majority of these log messages, and whois revealed it belongs to “Finnmark Fylkeskommune”, that is, the county administration of Finnmark in Norway. Probably a poorly configured client?