[pkg-ntp-maintainers] Should I worry about "ntpd[2994]: receive: Unexpected origin timestamp from" messages

Kurt Roeckx kurt at roeckx.be
Thu Oct 29 19:30:55 UTC 2015


On Thu, Oct 29, 2015 at 08:05:56PM +0100, Agustin Martin wrote:
> Hi, ntp maintainers,
> 
> I am seeing a number of messages like
> 
> ntpd[2866]: receive: Unexpected origin timestamp from 176.31.53.99
> 
> in my syslog.
> 
> According to http://www.cs.bu.edu/~goldbe/NTPattack.html this might be an
> indication of a so called 'priming-the-pump' attack, but it suggests to
> upgrade to ntpd v4.2.8p4. However, I already have Debian 1:4.2.8p4+dfsg-3
> installed.
> 
> 176.31.53.99 seems to be be current IP of 2.es.pool.Ntp.org
> 
> Should I worry about those messages?

I've seen the same issue and reported it upstream already.  I
think they would love to get a capture of the packets send between
those hosts.  So run something like:
tcpdump -i eth0 -p -w ntp.pcap host 176.31.53.99


Kurt




More information about the pkg-ntp-maintainers mailing list