Hi,
I want to secure my ntp servers by setting restriction rules. Before doing so I want to monitor the traffic going through the ntp port of the servers to be able to change in time the configuration of "the unwanted clients" so that they do not "loose" the correct time. To do this I am using tcpdump. Mostly is working really fine, just I record 2 types of strange connections which I do not understand, maybe I did not understand how deeply work tcpdump, and I am asking your help to understand them.
the tcp command I am executing is like:
tcpdump -n -i interface port 123
say sss.sss.sss.sss is the IP address of the machine where I am running the tcpdump (the ntp server), and ccc.ccc.ccc.<number> is the IP of another machine. Note: we have a 10. network, some machine produce a 192.168 addresses but they are not routed. Note: we are speaking about a big company i.e. tons of firewalls, routers etc lie within the servers.
A normal ntp query connection looks like:
19:33:37.764379 IP ccc.ccc.ccc.001.123 > sss.sss.sss.sss.123: NTPv4, Client, length 48
19:33:37.764421 IP sss.sss.sss.sss.123 > ccc.ccc.ccc.001.123: NTPv4, Server, length 48
remote client requests time (I line Client), the local server answers (II line Server): fine.
Now the strange connection Nr1:
19:33:38.801105 IP 10.ccc.ccc.002.123 > 10.ccc.ccc.003.123: NTPv4, Server, length 48
Note:
1) it is a single line, not a pair Client, Server
2) the "source" of the packages is not the local host (the machine where I am running the tcpdump)
3) the "destination" of the packages is not the local host the machine where I am running the tcpdump)
where does this package come from?
Now the strange connection Nr2:
19:33:38.801105 IP 10.ccc.ccc.004.123 > 10.ccc.ccc.005.3121: NTPv4, Server, length 48
Note:
1) same as before but the "destination" port is not 123
where does this package come from?
Now the strange connection Nr3:
08:00:04.904630 IP 192.168.ccc.006.123 > sss.sss.sss.sss.123: NTPv3, Client, length 48
08:00:04.904646 IP sss.sss.sss.sss.123 > 192.168.ccc.006.123: NTPv3, Server, length 48
Note:
1) Now the structure remote client asks local server answers is respected
2) but the remote client has an IP which is not routed at all??!?!
How can tcpdump get those packages?
So my questions are:
1) How to interpret those packages records? (i.e. do I miss something in the understanding of tcpdump?)
2) Can I ignore those "strange records" in the configuration of my secure ntp server?
Thanks a lot.