On Fri, 19 Oct 2007, RW wrote:
> I have a GENERIC 4.1 box running ntpd as a server that is now part of
> au.pool.ntp.org and suddenly (once the world discovered it) the logs
> began to fill with entries like:
> Oct 19 16:46:05 freya ntpd[12012]: malformed packet received from
> 121.216.235.111
> Oct 19 16:46:19 freya ntpd[12012]: malformed packet received from
> 144.131.135.143
> Oct 19 16:46:25 freya ntpd[12012]: malformed packet received from
> 58.173.48.94
> Oct 19 16:46:46 freya ntpd[12012]: malformed packet received from
> 58.168.107.247
> Oct 19 16:47:20 freya ntpd[12012]: malformed packet received from
> 144.131.135.143
> Oct 19 16:48:21 freya ntpd[12012]: malformed packet received from
> 144.131.135.143
> Oct 19 16:48:29 freya ntpd[12012]: malformed packet received from
> 58.168.107.247
> Oct 19 16:49:22 freya ntpd[12012]: malformed packet received from
> 144.131.135.143
>
> So I went running to Mrs Google and she didn't say much really but one
> entry showed that somebody found that one version of Debian could deal
> with an early OBSD ntpd but a later Deb could not.
>
> I followed up some cvs entries for "our" ntpd and I can see the message
> text there but nothing much to let me figure out if it can be mitigated
> in any way.
Well, you see ntpd doing the mitigation. It has recceived a request
with an improper length. Some clients do that. It might even by some
joker sending garbage to your ntpd.
>
> Ohh whoops! I just saw the tail -f daemon stop scrolling and it's now
> been silent for several minutes after nearly an hour where a bunch of
> Telstra (not my ISP) adsl customers repeatedly hammered the box.
>
> Anyway can someone please give me a clue as to what the effect is at
> t'other end clients?
ntpd will ignore these requests. The client will not receive a reply.
Most clients conclude your server is down and start polling very
infrequently to see if has come back.
-Otto
>
> If it starts again what is the best tcpdump recipe to capture data that
> smart people need?
> I did a tcpdump -X -s 1500 -nettti rl0 udp and dst 218.214.194.118 but
> the output did not mean much to me .
>
> Any other clues?
>
> Thanx,
> Rod/
>
> >From the land "down under": Australia.
> Do we look <umop apisdn> from up over?
