[pkg-ntp-maintainers] Should I worry about "ntpd[2994]: receive: Unexpected origin timestamp from" messages
Kurt Roeckx
kurt at roeckx.be
Thu Oct 29 19:30:55 UTC 2015
On Thu, Oct 29, 2015 at 08:05:56PM +0100, Agustin Martin wrote:
> Hi, ntp maintainers,
>
> I am seeing a number of messages like
>
> ntpd[2866]: receive: Unexpected origin timestamp from 176.31.53.99
>
> in my syslog.
>
> According to http://www.cs.bu.edu/~goldbe/NTPattack.html this might be an
> indication of a so called 'priming-the-pump' attack, but it suggests to
> upgrade to ntpd v4.2.8p4. However, I already have Debian 1:4.2.8p4+dfsg-3
> installed.
>
> 176.31.53.99 seems to be be current IP of 2.es.pool.Ntp.org
>
> Should I worry about those messages?
I've seen the same issue and reported it upstream already. I
think they would love to get a capture of the packets send between
those hosts. So run something like:
tcpdump -i eth0 -p -w ntp.pcap host 176.31.53.99
Kurt
More information about the pkg-ntp-maintainers
mailing list