Tag Archives: NTP

NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

NTP: ntpq output explained

Host1:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==========================================================
-navobs1.oar.net .USNO. 1 u 958 1024 377 89.425 -6.073 0.695
*navobs1.gatech. .GPS. 1 u 183 1024 375 82.102 1.639 0.281
-NAVOBS1.MIT.EDU .PSC. 1 u 895 1024 377 90.912 -0.207 0.368
+navobs1.wustl.e .GPS. 1 u 48 1024 377 76.890 1.093 0.525
-bigben.cac.wash .USNO. 1 u 924 1024 377 113.327 0.028 0.326
+tick.ucla.edu .GPS. 1 u 107 1024 377 102.470 2.032 0.482
-ntp.alaska.edu .GPS. 1 u 881 1024 377 168.741 5.180 5.157
-tock.mhpcc.hpc. .GPS. 1 u 933 1024 377 174.518 -1.094 0.054