arcade
October 8, 2021, 3:59pm
1
Hello.
I’m running a server in the pool, and it’s mostly a quiet place. But 3 to 4 days ago I started getting a coinsiderably high amount of requests from one host:
18:39:39.642792 IP (tos 0x10, ttl 59, id 33756, offset 0, flags [DF], proto UDP (17), length 76)
78.26.151.96.33417 > 37.57.97.118.123: [udp sum ok] NTPv4, length 48
Client, Leap indicator: (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 2550007514.202855142 (1980/10/22 02:25:14)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 2550007514.202855142 (1980/10/22 02:25:14)
The hosts sends ~4k packets per sec at me. I’m not sure it expects any answer. At least my server is not sending any.
Just wanted to understand what can I do in this situation. Is it common? Is it ok to contact abuse email from whois data?
Thanks in advance.
NTPman
October 8, 2021, 4:08pm
2
May be your NTP server encountered a FortiGate firewall, or some other simmilarly buggy NTP client?
(This summarizes a problem mentioned in other discussions.)
A recent enhancement to FortiOS, used in the FortiGate firewall, did not handle NTP DNS changes correctly. When DNS mapping changed FortiGate firewalls sent 10 second duration NTP bursts at rates that could exceed 20,000 requests/second. NTP Pool servers were impacted due to the use of DNS load balancing. Our team monitored three NTP pool servers and detected over 150 FortiGate devices sending NTP bursts.
FortiGate support identified…
arcade
October 8, 2021, 4:16pm
3
Oh wow, I’ll try to reach admin in case they can upgrade or fix it.
See the details I posted.
This is probably a different broken client. It looks like systemd-timesyncd. It has a bug causing requests to be sent in an infinite loop. The rate depends on the hardware. On my servers I see this every few weeks.
You can confirm it’s timesyncd by looking at the sequence of its transmit timestamps in the tcpdump output. If you see the fractional part wrapping around 232 milliseconds like here, it is timesyncd.
Transmit Timestamp: 2546502342.231471647 (1980-09-11T09:45:42Z)
Transmit Timestamp: 2546502342.231726637 (1980-09-11T09:45:42Z)
Transmit Timestamp: 2546502342.231996596 (1980-09-11T09:45:42Z)
Transmit Timestamp: 2546502342.232252255 (1980-09-11T09:45:42Z)
Transmit Timestamp: 2546502342.232516713 (1980-09-11T09:45:42Z)
Transmit Timestamp: 2546502343.000168547 (1980-09-11T09:45:43Z)
Transmit Timestamp: 2546502343.000427553 (1980-09-11T09:45:43Z)
Transmit Timestamp: 2546502343.000676752 (1980-09-11T09:45:43Z)
Transmit Timestamp: 2546502343.000940676 (1980-09-11T09:45:43Z)
Transmit Timestamp: 2546502343.001201613 (1980-09-11T09:45:43Z)
2 Likes
arcade
October 8, 2021, 6:50pm
6
Transmit Timestamp: 2550018890.232773597 (1980/10/22 05:34:50)
Transmit Timestamp: 2550018891.000000237 (1980/10/22 05:34:51)
Oh, that looks close.
system
November 7, 2021, 6:50pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.