Hi,
Periodically, I run surveys of all hosts running the Network Time Protocol
(NTP) software. This is done to ensure that the campus NTP service is
working properly and to tune the service to better meet the campus's
needs.
The survey looks for hosts running the full-blown NTP daemon (usually
unix, Windows NT, or Netware 5 hosts); it is not concerned with hosts
runing Simple NTP (SNTP) clients. Computers that are not running the
full-blown NTP software that have personal firewalls installed might log
attempts to talk to UDP port 123, the IANA designated NTP protocol
port. The source of these attempts will be IP address 128.32.206.242
(rancid.net.berkeley.edu). This is benign, and there is no need to report
it.
Currently, there aren't any known exploits for NTP (although seriously
misconfigured servers might be vulnerable); logged connections to port 123
are almost always surveys. (An internet-wide survey is currently being
conducted by a grad student at MIT.)
For more information on NTP, check out these fascinating sites:
http://istpub.berkeley.edu:4201/bcc/Winter2000/net.nettime.html
(nominated for an ISTy award for "Most Likely to Put the Reader to Sleep
Within First Minute")
http://www.net.berkeley.edu/dcns/time/
Questions? Email me. I am in the book.
Michael Sinatra
IST COMMUNICATION AND NETWORK SERVICES
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the Micronet Web site at <URL:http://wss-www.berkeley.edu/micronet/>.
This archive was generated by hypermail 2b29 : Sun May 28 2000 - 18:04:12 PDT