13

I've noticed that, after changing the reg settings outlined in Episode 52 of the Stack Overflow podcast to pool.ntp.org, my box keeps requesting time from gordo.foofus.net. The web site hosted on that box is very strange. Is this a valid timeserver?

Jeff Atwood
  • 13,104
  • 20
  • 75
  • 92
John
  • 139
  • 1
  • 3

11 Answers11

16

The pool.ntp.org is a DNS-level load balancer. Jeff just happened to get directed to that one, the NTP pool maintainers do not care what does the server run on it's port 80 (http), only that it serves time via NTP correctly.

skolima
  • 1,263
  • 3
  • 16
  • 28
6

I just listened to episode 52 of the podcast and noticed the same thing Joel did. This server lives in the ntp.org pool of time servers. As noted by Alex, it's serving a valid time and doesn't seem to be doing anything out of spec.

dr.pooter
  • 399
  • 5
  • 10
4

This looks like a legitimate time server to me:

[hex]~% ntpdate -q gordo.foofus.net server 64.73.32.135, stratum 2, offset 21.538520, delay 0.05049 12 Jun 13:07:19 ntpdate[1098]: step time server 64.73.32.135 offset 21.538520 sec

If you're ever curious, and have ntpdate installed, you can always use the -q option to simply ask for the time without changing your clock.

It's very strange, though.

4

Just pick a "real" time server ... the fine folks at NIST are paid to render this service.

Joseph Kern
  • 9,899
  • 4
  • 32
  • 56
  • 11
    -1 for suggesting to use Stratum 1 time servers without qualifying a need. See http://support.ntp.org/bin/view/Servers/RulesOfEngagement . –  Sep 07 '09 at 02:03
  • 1
    +1 for reading the documentation! – Joseph Kern Sep 18 '09 at 09:51
  • So what is a "real time server"? I don't know the exact numbers, but NIST is probably handling more than 10000 requests per second, and syncong your home PC over DSL from NIST most likely is just overkill. – U. Windl Aug 12 '21 at 07:48
4

I certainly wouldn't worry about it as a time server. Everything seems fine wrt the NTP service. The web site is funny, but, as Skolima said, the ntp.org pool doesn't place any restrictions on the web site content in the pool. I have to say, I got a kick out of "Gordo's response."

Have fun

3

This is a legitimate time server. It's a stratum-2 server and is linked to 12 stratum-1 time sources.

user9360
  • 31
  • 1
  • Unfortunately neither being stratum-2, nor referencing 12 startum-1 sources does make it a good time server. See my comment on the original question, too. – U. Windl Aug 12 '21 at 07:44
1

If you look at the main domain, http://www.foofus.net/, it is a legit security blog.

As for the subdomain gordo.foofus.net, I have no idea.

Anapologetos

Josh Brower
  • 1,669
  • 3
  • 18
  • 29
  • Hmm. Never trust security guys! My guess: someone decided to attack HTTPS by turning back the clocks on expired certs. There may even be a time based attack in revocation lists. – jldugger Jun 12 '09 at 19:30
  • 1
    Hey, I resemble that remark! :) – Josh Brower Jun 12 '09 at 20:11
  • How is this "answer" related to the question, or how did you understand the question? Was it about the domain? – U. Windl Aug 12 '21 at 07:54
1

There doesn't appear to be any problem with the server. Clearly, the server administrators are completely insane, but I consider that a bonus! :) I'm now a big fan of gordo.foofus.net-attacks.mp3

  • Maybe add facts instead of opinions: What mad you think the server does not have "any problem"? What made you think the "administrators are completely insane"? What about being a fan of something? – U. Windl Aug 12 '21 at 07:50
1

That's an excellent point Jeff. I think pool.ntp.org is a great resource and generally assists the Internet in ways y'all noted in Episode 52.

That said, it's interesting to me that anyone, anywhere, can inject a server into the NTP pool. From an adversarial perspective, this has some potential impact. From an architectural perspective, I think the way the pool is constructed can minimize the impact.

However, should an adversary employ some type of DNS cache poisoning attack to shift a network's NTP syncs to their malicious server, it could get interesting. There are many other attack scenarios I can think of.

dr.pooter
  • 399
  • 5
  • 10
  • Reading this I wondered who "Jeff" is. Please don't write answers like this. Also don't open new scenarios (like DNS cache poisoning) that do not add to answering the question. Also, I thin kyou are missing the fact that `ntpd` replaces pool servers that look bad (i.e.: have the '-' flag) in your answer. – U. Windl Aug 12 '21 at 07:58
1

You should make sure that you are using the most specific geographic area that matches your location and that is offered at ntp.org.

For example, there is a us.pool.ntp.org that will always return a time server in the United States. There are other geographic pools available around the world.

This ensures that you will not receive a time server half way around the world when a perfectly good and more accurate server might be in your back yard.

This was also discussed in another thread on Server Fault

Community
  • 1
Richard West
  • 2,978
  • 12
  • 44
  • 49
0

The way that pool.ntp.org works is that DNS lookups for time servers redirect to one (randomly selected) member of the pool. Each server that's in the pool will have its own name, and if you do a reverse DNS lookup on its IP address you'll get its real name, not the pool name you started with.

Perhaps an example will help:

$ nslookup pool.ntp.org
Non-authoritative answer:
Name:    pool.ntp.org
Address: 83.133.127.245
Name:    pool.ntp.org
Address: 217.25.36.102

$ nslookup 83.133.127.245
Non-authoritative answer:
245.127.133.83.in-addr.arpa     name = wikisquare.de.

$ randy@hex:~$ nslookup
Non-authoritative answer:
102.36.25.217.in-addr.arpa      name = orbit.infidyne.com.
Randy Orrison
  • 520
  • 6
  • 12
  • It's correct what you are saying, but how is it related to the question? – U. Windl Aug 12 '21 at 07:59
  • It's the reason why, when you set your server to pool.ntp.org, you can get gordo.foofus.net. Granted, it doesn't directly address "Is this a valid timeserver?" but then neither does the accepted answer. – Randy Orrison Aug 12 '21 at 11:02